CVE-2023-49134 – An unauthenticated remote command execution vul... (How to Fix)

Q: What is the severity of CVE-2023-49134?

CVE-2023-49134 has a CVSS score of 8.1 (HIGH). An unauthenticated remote command execution vulnerability in TP-Link wireless access points allows attackers to execute arbitrary commands by sending specially crafted network packets. This affects TP-Link EAP225 V3 and EAP115 V4 access points with specific vulnerable firmware versions. Attackers can gain complete control of affected devices without authentication.

📋 TL;DR

An unauthenticated remote command execution vulnerability in TP-Link wireless access points allows attackers to execute arbitrary commands by sending specially crafted network packets. This affects TP-Link EAP225 V3 and EAP115 V4 access points with specific vulnerable firmware versions. Attackers can gain complete control of affected devices without authentication.

💻 Affected Systems

Products:

TP-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3)
TP-Link N300 Wireless Access Point (EAP115 V4)

Versions: EAP225 V3: v5.1.0 Build 20220926; EAP115 V4: v5.0.4 Build 20220216

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the uclited service on EAP115 V4 devices. Both devices are vulnerable in default configurations.

📦 What is this software?

Eap115 Firmware by Tp Link

View all CVEs affecting Eap115 Firmware →

Eap225 Firmware by Tp Link

View all CVEs affecting Eap225 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the access point allowing attackers to pivot to internal networks, intercept/modify traffic, install persistent backdoors, or use the device for further attacks.

🟠

Likely Case

Attackers gain remote shell access to execute commands, potentially installing malware, modifying configurations, or using the device as a foothold for lateral movement.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the access point itself without allowing network pivoting.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending a sequence of network packets to trigger the vulnerability. Technical details and proof-of-concept are publicly available in the Talos Intelligence report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check TP-Link website for latest firmware updates

Vendor Advisory: https://www.tp-link.com/support/download/

Restart Required: Yes

Instructions:

1. Log into TP-Link support website. 2. Download latest firmware for your specific model. 3. Upload firmware through device web interface. 4. Reboot device after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected access points from critical network segments using VLANs or firewall rules

Access Control Lists

all

Restrict management interface access to trusted IP addresses only

🧯 If You Can't Patch

Remove affected devices from production networks immediately
Replace with patched or alternative devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device web interface: EAP225 V3 v5.1.0 Build 20220926 or EAP115 V4 v5.0.4 Build 20220216

Check Version:

Check via web interface or SSH if enabled: cat /etc/version

Verify Fix Applied:

Verify firmware version has been updated to a version newer than the vulnerable builds

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful access
Unexpected process creation

Network Indicators:

Unusual network traffic to/from access point management interface
Suspicious packets to port 29808 (uclited service)

SIEM Query:

source="access_point" AND (event="command_execution" OR process="uclited" AND action="unusual")

📊 Metadata

CVE ID: CVE-2023-49134

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-829

Published: April 9, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1862 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1862 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1862

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49134, you might also want to check these: