CVE-2025-14737
Command Injection in TP-Link WA850RE Allows Authenticated Code Execution
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | wa850re | v2_160527 |
| tp-link | wa850re | v3_160922 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14737 is a Command Injection vulnerability in the TP-Link WA850RE devices (versions V2 and V3). It exists in the httpd modules and allows an authenticated attacker who is adjacent (on the same network segment) to inject arbitrary commands that execute with root privileges. This means the attacker can run any command on the device with full control, potentially compromising the entire system. The vulnerability is rated high severity with a CVSS v4.0 score of 7.1. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to a full system compromise of the affected TP-Link WA850RE device. An attacker with valid credentials and network adjacency can execute arbitrary commands with root privileges, which can result in unauthorized control over the device, disruption of its operation, data theft, or further attacks on the network. Additionally, when combined with a related configuration disclosure vulnerability, attackers may gain access to sensitive information such as admin credentials, increasing the risk and impact. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the firmware of the TP-Link WA850RE device to the latest version available from TP-Link's official support site. This update addresses the command injection vulnerability and related configuration disclosure issues, preventing attackers from exploiting these flaws. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated adjacent attackers to inject arbitrary commands with root privileges, potentially leading to full system compromise and exposure of sensitive information such as admin credentials. This exposure and compromise of sensitive data could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. Failure to update the firmware leaves the device vulnerable to these risks, thereby increasing the likelihood of non-compliance with such regulations. [1, 2]