CVE-2022-0650 in TL-WR940N
Summary
by MITRE • 03/28/2023
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link TL-WR940N 3.20.1 Build 200316 Rel.34392n (5553) routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-13993.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2022-0650 represents a critical buffer overflow flaw in the TP-Link TL-WR940N router firmware version 3.20.1 Build 200316 Rel.34392n, which operates under the CWE-121 category of stack-based buffer overflow conditions. This vulnerability exists within the httpd service that listens on the standard TCP port 80, making it accessible to network-adjacent attackers who can reach the device through local network connections. The flaw stems from insufficient input validation mechanisms that fail to properly check the length of user-supplied data before copying it into a fixed-length stack buffer, creating a predictable exploitation vector that allows for arbitrary code execution.
The technical implementation of this vulnerability demonstrates a classic stack buffer overflow scenario where malicious input data exceeds the allocated buffer space, leading to memory corruption that can be exploited to overwrite critical program execution flow. The requirement for authentication to exploit this vulnerability indicates that attackers must first establish valid credentials, typically through legitimate administrative access or credential compromise, before they can leverage the buffer overflow to gain elevated privileges. This authentication requirement does not mitigate the severity of the flaw, as successful exploitation results in root-level code execution, effectively providing attackers complete control over the affected device.
From an operational impact perspective, this vulnerability poses significant risks to network security infrastructure as it allows attackers to execute arbitrary code with the highest possible privileges on the router. The exploitation process typically involves crafting malicious HTTP requests that contain oversized input data, which when processed by the vulnerable httpd service causes the buffer overflow and subsequent code execution. The root-level execution context means that attackers can modify router configurations, establish persistent backdoors, redirect network traffic, or use the compromised device as a pivot point for further attacks within the local network environment. This vulnerability directly maps to ATT&CK technique T1059.007 for command and scripting interpreter and T1566.001 for valid accounts for initial access and privilege escalation.
The security implications extend beyond immediate device compromise as compromised routers can serve as persistent footholds for broader network infiltration, enabling attackers to monitor traffic, manipulate network communications, or launch attacks against other connected devices. The vulnerability affects not only the specific TP-Link model but potentially other devices using similar firmware components, highlighting the importance of firmware updates and security patches. Organizations should implement immediate mitigation strategies including firmware updates, network segmentation, and monitoring for suspicious HTTP traffic patterns. The vulnerability also underscores the critical importance of input validation and secure coding practices, particularly in network services that handle untrusted input data, as outlined in industry best practices for preventing buffer overflow vulnerabilities.