Login Sign Up

CVE-2025-14737

8.0 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in TP-Link WA850RE range extenders' httpd modules. Authenticated attackers on the same network can execute arbitrary commands on the device. Affected devices are WA850RE V2 and V3 with firmware versions up to specified dates.

💻 Affected Systems

Products:
  • TP-Link WA850RE
Versions: WA850RE V2 firmware ≤ 160527, WA850RE V3 firmware ≤ 160922
Operating Systems: Embedded Linux (vendor firmware)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to be authenticated on the same network segment as the device.

📦 What is this software?

Tl Wa850re Firmware by Tp Link

View all CVEs affecting Tl Wa850re Firmware →

Tl Wa850re Firmware by Tp Link

View all CVEs affecting Tl Wa850re Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network pivoting to other devices, and data exfiltration.

🟠

Likely Case

Local network compromise, device configuration changes, denial of service, and credential harvesting.

🟢

If Mitigated

Limited impact due to network segmentation and strong authentication controls.

🌐 Internet-Facing: LOW (requires adjacent network access, not directly internet exploitable)
🏢 Internal Only: HIGH (exploitable by any authenticated user on the same network segment)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details published in Exodus Intelligence blog. Requires authenticated access to web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after WA850RE V2_160527 and V3_160922

Vendor Advisory: https://www.tp-link.com/us/support/faq/4848/

Restart Required: Yes

Instructions:

1. Download latest firmware from TP-Link support site. 2. Log into device web interface. 3. Navigate to System Tools > Firmware Upgrade. 4. Upload firmware file. 5. Wait for automatic reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WA850RE devices on separate VLAN from critical systems

Access Control

all

Restrict web interface access to trusted management IPs only

🧯 If You Can't Patch

  • Physically disconnect from network if not essential
  • Implement strict firewall rules blocking all unnecessary traffic to/from device

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface under System Tools > Firmware Upgrade

Check Version:

Not applicable - check via web interface only

Verify Fix Applied:

Confirm firmware version is newer than affected versions listed in CVE

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed authentication attempts followed by successful login

Network Indicators:

  • Unusual outbound connections from WA850RE
  • HTTP requests with command injection patterns to device web interface

SIEM Query:

source_ip=WA850RE_IP AND (http_uri CONTAINS ";" OR http_uri CONTAINS "|" OR http_uri CONTAINS "`")

📊 Metadata

CVE ID: CVE-2025-14737
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 0.27% exploit probability (50.2th percentile)
Published: December 18, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14737, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)