CVE-2023-47167 – This CVE describes an authenticated command inj... (How to Fix)

Q: What is the severity of CVE-2023-47167?

CVE-2023-47167 has a CVSS score of 7.2 (HIGH). This CVE describes an authenticated command injection vulnerability in TP-Link ER7206 Omada VPN routers. An attacker with valid credentials can execute arbitrary commands on the router by sending specially crafted HTTP requests. This affects administrators and organizations using the vulnerable router version.

📋 TL;DR

This CVE describes an authenticated command injection vulnerability in TP-Link ER7206 Omada VPN routers. An attacker with valid credentials can execute arbitrary commands on the router by sending specially crafted HTTP requests. This affects administrators and organizations using the vulnerable router version.

💻 Affected Systems

Products:

TP-Link ER7206 Omada Gigabit VPN Router

Versions: 1.3.0 build 20230322 Rel.70591

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the router's web interface.

📦 What is this software?

Er7206 Firmware by Tp Link

View all CVEs affecting Er7206 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to install persistent backdoors, intercept network traffic, pivot to internal networks, or use the router for further attacks.

🟠

Likely Case

Router configuration manipulation, credential harvesting, network reconnaissance, or launching attacks against internal systems.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and proper monitoring are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid credentials but command injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link for latest firmware updates

Vendor Advisory: https://www.tp-link.com/support/download/er7206/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link. 4. Upload and apply firmware update. 5. Reboot router.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit router admin interface access to specific IP addresses or VLANs only.

Strong Authentication

all

Enforce complex passwords and consider multi-factor authentication if supported.

🧯 If You Can't Patch

Isolate router on separate management VLAN with strict access controls
Implement network monitoring for unusual HTTP requests to router admin interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Tools > Firmware Upgrade

Check Version:

Check via web interface or SSH if enabled: show version

Verify Fix Applied:

Confirm firmware version is newer than 1.3.0 build 20230322 Rel.70591

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to GRE policy endpoints
Multiple failed login attempts followed by successful login

Network Indicators:

Unexpected outbound connections from router
Unusual traffic patterns from router management interface

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/luci/" OR uri CONTAINS "gre_policy") AND method="POST"

📊 Metadata

CVE ID: CVE-2023-47167

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 6, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1855 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1855 Exploit,Technical Description,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1855

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47167, you might also want to check these: