Login Sign Up

CVE-2023-47617

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on TP-Link ER7206 Omada Gigabit VPN Router by sending specially crafted HTTP requests when configuring web group members. Attackers with valid credentials can gain remote code execution on affected devices. Only TP-Link ER7206 routers running specific vulnerable firmware versions are affected.

💻 Affected Systems

Products:
  • TP-Link ER7206 Omada Gigabit VPN Router
Versions: 1.3.0 build 20230322 Rel.70591
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authentication to exploit. Default credentials increase risk.

📦 What is this software?

Er7206 Firmware by Tp Link

View all CVEs affecting Er7206 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, pivot to internal networks, install persistent backdoors, or use the device for further attacks.

🟠

Likely Case

Attackers with stolen or default credentials gain full control of the router, enabling traffic monitoring, credential theft, and network disruption.

🟢

If Mitigated

With strong authentication and network segmentation, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link for latest firmware updates

Vendor Advisory: https://www.tp-link.com/support/download/er7206/

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to System Tools > Firmware Upgrade. 3. Download latest firmware from TP-Link. 4. Upload and install firmware. 5. Reboot router.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrative access to specific IP addresses or VLANs

Change Default Credentials

all

Use strong, unique passwords for all administrative accounts

🧯 If You Can't Patch

  • Isolate the router in a dedicated network segment with strict firewall rules
  • Disable remote administration and require VPN for management access

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Tools > Firmware Upgrade

Check Version:

No CLI command available - check via web interface

Verify Fix Applied:

Verify firmware version is newer than 1.3.0 build 20230322 Rel.70591

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP POST requests to web group configuration endpoints
  • Multiple failed login attempts followed by successful login

Network Indicators:

  • Unusual outbound connections from router
  • Suspicious commands in HTTP request payloads

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/luci/" OR method="POST") AND (payload CONTAINS "$" OR payload CONTAINS "|" OR payload CONTAINS ";")

📊 Metadata

CVE ID: CVE-2023-47617
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: February 6, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47617, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)