This post is also available in:
עברית (Hebrew)
A critical security flaw in several widely used TP-Link router models is now being actively exploited by hackers, according to a recent update by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, which affects older hardware versions no longer receiving firmware updates, poses a severe risk to users and organizations still relying on these legacy devices.
The exploited weakness is a command injection vulnerability that allows attackers to run unauthorized commands on the router’s system through its web management interface. With a severity score of 8.8 out of 10, the flaw is classified as highly dangerous. It was initially identified two years ago, but it appears it is still actively used in real-world attacks, prompting its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The impacted devices are among TP-Link’s most popular consumer models, many of which are still available online and in use despite being officially retired by the manufacturer. These include:
- TL-WR740N (Versions V1/V2): Updates for this model ended more than 15 years ago, yet the routers remain vulnerable and potentially still deployed in home and small office environments.
- TL-WR841N (Versions V8/V10): One of TP-Link’s top-selling models, these versions received their final firmware update in 2015 and have reached end-of-life.
- TL-WR940N (Versions V2/V4): Last updated in 2016.
CISA is advising users to immediately stop using any of the affected versions, warning that exploits are publicly available and relatively easy to execute—especially on devices with remote access features enabled. Even local network access is enough for attackers to exploit the flaw.
While the mandate to remove the devices currently applies only to U.S. federal agencies (by July 7, 2025), CISA recommends that all organizations—and individual users—replace these routers with secure, up-to-date models to reduce the risk of compromise.
