Security Advisory on Command Injection Vulnerability in Telnet CLI on TP-Link TL-MR6400 (CVE-2026-3841)
184 Vulnerability and Impact Description:
CVE-2026-3841:
A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability.
CVSS v4.0 Score: 8.5 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Affected Product Model |
Affected Version |
|
TL-MR6400 v5.3 |
< 1.9.0 Build 260108 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Download and update to the latest firmware version to fix the vulnerabilities on the Omada website.
EN: Download for TL-MR6400 | TP-Link
Note: TL-MR6400 is not sold in the US.
Disclaimer:
If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.