Click to skip the navigation bar
Search
Search Menu

Security Advisory on Vulnerabilities in TP-Link WA850RE, WA940N and WR941ND (CVE-2025-14737, CVE-2025-14738, CVE-2025-14739)

Security Advisory
Updated 12-18-2025 17:59:04 PM Number of views for this article1083

Important Information:

These devices have reached end-of-life (EOL); therefore, please review the ‘Recommendation(s)’ section carefully.

Vulnerabilities Description:

In TP-Link WA850RE (httpd modules):

Command Injection vulnerability allows authenticated adjacent attackers to inject arbitrary commands.

Improper authentication vulnerability allows unauthenticated attackers to download the configuration file.

In TP-Link WR940N and WR941ND:

Access of Uninitialized Pointer vulnerability allows local unauthenticated attackers the ability to execute DoS attacks and potentially arbitrary code execution under the context of the ‘root’ user.

Impacts:

In TP-Link WA850RE:

The command Injection vulnerability allows authenticated adjacent attackers to inject arbitrary commands with root privileges. This issue is further exacerbated when combined with the configuration leak from Unauthenticated Configuration Disclosure Vulnerability.

Improper authentication vulnerability allows unauthenticated attackers to download the configuration file. Retrieval of this file results in the exposure of admin credentials and other sensitive information.

WA850RE Command Injection vulnerability

CVSS v4.0 Score: 7.1 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

WA850RE Unauthenticated Configuration Disclosure Vulnerability

CVSS v4.0 Score: 5.7 / Medium

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

In TP-Link WA940N and WR941ND:

Exploitation of Uninitialized Pointer Vulnerability allows local unauthenticated attackers to crash the device (DoS) and, in severe cases, execute arbitrary code with root privileges, leading to full system compromise..

CVSS v4.0 Score: 6.8 /Medium

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected Products/Versions and Fixes:

Affected Product Model

Related Vulnerabilities

Affected Version

WA850RE v2

WA940N v5

WR941ND v6

CVE-2025-14737 &

CVE-2025-14738

CVE-2025-14739

CVE-2025-14739

<= V2_160527

<= V3_160922

<= 3.20.1 Build 200316

<= 3.16.9 Build 151203

Recommendation(s):

We strongly recommend that users with the affected device(s) take the following action(s):

  1. Download and update to the latest firmware version to fix these vulnerabilities:

https://www.tp-link.com/us/support/download/tl-wa850re/v2/#Firmware

https://www.tp-link.com/us/support/download/tl-wa850re/v3/#Firmware

https://www.tp-link.com/us/support/download/tl-wr941nd/#Firmware

https://www.tp-link.com/us/support/download/tl-wr940n/v5/#Firmware

Disclaimer:

If you do not take the recommended actions stated above, this vulnerability concern will remain. TP-Link cannot bear any responsibility for the consequences that could have been avoided by following the recommended actions in this statement.

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Your Privacy Choices

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

These cookies are necessary for the website to function and cannot be deactivated in your systems.

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.