CVE-2022-22922 – This vulnerability in TP-Link TL-WA850RE Wi-Fi ... (How to Fix)

Q: What is the severity of CVE-2022-22922?

CVE-2022-22922 has a CVSS score of 9.8 (CRITICAL). This vulnerability in TP-Link TL-WA850RE Wi-Fi range extenders allows attackers to gain administrative access by exploiting predictable session keys. Attackers can take full control of affected devices, potentially compromising connected networks. Users with TL-WA850RE range extenders running firmware versions before v6_200923 are affected.

📋 TL;DR

This vulnerability in TP-Link TL-WA850RE Wi-Fi range extenders allows attackers to gain administrative access by exploiting predictable session keys. Attackers can take full control of affected devices, potentially compromising connected networks. Users with TL-WA850RE range extenders running firmware versions before v6_200923 are affected.

💻 Affected Systems

Products:

TP-Link TL-WA850RE Wi-Fi Range Extender

Versions: All firmware versions before v6_200923

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware are vulnerable regardless of configuration settings.

📦 What is this software?

Tl Wa850re Firmware by Tp Link

View all CVEs affecting Tl Wa850re Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise where attackers gain administrative control, intercept all traffic, deploy malware to connected devices, and use the device as a pivot point for further attacks.

🟠

Likely Case

Unauthorized administrative access to the range extender allowing attackers to change settings, monitor network traffic, and potentially access connected devices.

🟢

If Mitigated

Limited impact if device is isolated from critical systems and regularly monitored for unauthorized configuration changes.

🌐 Internet-Facing: HIGH - Wi-Fi range extenders are typically internet-facing devices that broadcast wireless networks accessible to nearby attackers.

🏢 Internal Only: MEDIUM - While primarily internet-facing, compromised devices could be used to pivot to internal networks if not properly segmented.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves predictable session keys that can be easily calculated or brute-forced by attackers with physical proximity to the wireless network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6_200923 and later

Vendor Advisory: https://www.tp-link.com/us/support/download/tl-wa850re/v6/#Firmware

Restart Required: Yes

Instructions:

1. Visit TP-Link support page for TL-WA850RE v6. 2. Download firmware version v6_200923 or later. 3. Log into range extender web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install the new firmware. 6. Device will reboot automatically.

🔧 Temporary Workarounds

Network Isolation

all

Place the range extender on a separate VLAN or network segment to limit potential damage if compromised.

Disable Remote Management

all

Disable any remote management features and ensure the web interface is only accessible from trusted networks.

🧯 If You Can't Patch

Replace the device with a newer model or different vendor product that is not vulnerable
Disable the range extender entirely and use alternative networking solutions

🔍 How to Verify

Check if Vulnerable:

Access the range extender web interface, navigate to System Tools > Firmware Upgrade, and check the current firmware version.

Check Version:

No CLI command available - check via web interface at http://tplinkrepeater.net or device IP address

Verify Fix Applied:

After updating, verify the firmware version shows v6_200923 or later in the System Tools > Firmware Upgrade page.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from unexpected IP/MAC addresses
Configuration changes made from unauthorized sources

Network Indicators:

Unusual administrative traffic to range extender management interface
Changes to wireless network settings without authorization

SIEM Query:

source="range_extender_logs" AND (event_type="login_success" OR event_type="config_change") AND user_agent NOT IN ("trusted_user_agents")

📊 Metadata

CVE ID: CVE-2022-22922

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-330

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/emremulazimoglu/cve/blob/main/CWE330-TL-WA850RE-v6.md Exploit,Issue Tracking,Third Party Advisory
https://www.tp-link.com/us/support/download/tl-wa850re/v6/#Firmware Product,Vendor Advisory
https://github.com/emremulazimoglu/cve/blob/main/CWE330-TL-WA850RE-v6.md Exploit,Issue Tracking,Third Party Advisory
https://www.tp-link.com/us/support/download/tl-wa850re/v6/#Firmware Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22922, you might also want to check these: