CVE-2025-14737
Unknown Unknown - Not Provided
Command Injection in TP-Link WA850RE Allows Authenticated Code Execution

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: TPLink

Description
Command Injection vulnerability in TP-Link WA850RE (httpd modules) allows authenticated adjacent attacker to inject arbitrary commands.This issue affects: ≀ WA850RE V2_160527, ≀ WA850RE V3_160922.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14737
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tp-link wa850re v2_160527
tp-link wa850re v3_160922
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14737 is a Command Injection vulnerability in the TP-Link WA850RE devices (versions V2 and V3). It exists in the httpd modules and allows an authenticated attacker who is adjacent (on the same network segment) to inject arbitrary commands that execute with root privileges. This means the attacker can run any command on the device with full control, potentially compromising the entire system. The vulnerability is rated high severity with a CVSS v4.0 score of 7.1. [1, 2]

Impact Analysis

This vulnerability can lead to a full system compromise of the affected TP-Link WA850RE device. An attacker with valid credentials and network adjacency can execute arbitrary commands with root privileges, which can result in unauthorized control over the device, disruption of its operation, data theft, or further attacks on the network. Additionally, when combined with a related configuration disclosure vulnerability, attackers may gain access to sensitive information such as admin credentials, increasing the risk and impact. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the firmware of the TP-Link WA850RE device to the latest version available from TP-Link's official support site. This update addresses the command injection vulnerability and related configuration disclosure issues, preventing attackers from exploiting these flaws. [1, 2, 3]

Compliance Impact

The vulnerability allows authenticated adjacent attackers to inject arbitrary commands with root privileges, potentially leading to full system compromise and exposure of sensitive information such as admin credentials. This exposure and compromise of sensitive data could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. Failure to update the firmware leaves the device vulnerable to these risks, thereby increasing the likelihood of non-compliance with such regulations. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart