How is CVE-2026-11409 exploited?

Network reachability (info): The vulnerable service is reachable from an adjacent network such as a local LAN or VPN segment; remote internet-based access alone is not sufficient. Authentication (required): An administrative account is required; the attacker must have already obtained router admin credentials before exploitation is possible. Victim interaction (not-required): No user interaction is needed; the attacker submits a crafted request directly to the configuration handler without any victim involvement. Attack complexity (info): The exploit is reliable and condition-free once the attacker has network adjacency and admin credentials; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-11409?

Executes arbitrary OS commands with elevated privileges on the affected router, giving the attacker full control of the device. Reads any file accessible to the process, including stored credentials, PPPoE account details, and network configuration secrets. Modifies device configuration, firewall rules, or routing tables, enabling traffic interception or redirection for all hosts on the connected network. Crashes or reboots the device, disrupting network connectivity for every host that depends on it.

Back to search

HIGHCVE-2026-11409Published 2026-06-16Modified 2026-06-16CNA TPLink

CVE-2026-11409: OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N

An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: V6_260528
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability affects the IPv6 PPPoE configuration handler in TP-Link TL-WR940N v6 firmware. The flaw is reachable from an adjacent network and requires administrative credentials; unsanitized input passed to the configuration handler is executed as system commands with elevated privileges. Successful exploitation gives an attacker full control of the device, including arbitrary command execution at the OS level. A patched-image rebuild at version V6_260528 is available on HarborGuard for environments running an affected firmware version.

HarborGuard Coverage

Detection

Detection for CVE-2026-11409 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle TP-Link TL-WR940N firmware or related tooling.

Available

Triage

HarborGuard scores this CVE at 8.5 HIGH using the CVSS v4.0 vector and weights findings against each customer environment's compliance policy before routing alerts to the appropriate team inbox within that organization.

Available

Patch

A patched-image rebuild at firmware version V6_260528 becomes available on HarborGuard for any image found running an affected TL-WR940N v6 version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against the affected workload automatically.

Available

Exploit Conditions

Network reachabilityDetail
The vulnerable service is reachable from an adjacent network such as a local LAN or VPN segment; remote internet-based access alone is not sufficient.
AuthenticationRequired
An administrative account is required; the attacker must have already obtained router admin credentials before exploitation is possible.
Victim interactionNot required
No user interaction is needed; the attacker submits a crafted request directly to the configuration handler without any victim involvement.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker has network adjacency and admin credentials; no race conditions or special environmental factors are required.

Blast Radius

Executes arbitrary OS commands with elevated privileges on the affected router, giving the attacker full control of the device.
Reads any file accessible to the process, including stored credentials, PPPoE account details, and network configuration secrets.
Modifies device configuration, firewall rules, or routing tables, enabling traffic interception or redirection for all hosts on the connected network.
Crashes or reboots the device, disrupting network connectivity for every host that depends on it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11409 activates within minutes of ingestion for any image in a customer registry or pipeline that includes affected TL-WR940N v6 firmware components. A patched-image rebuild targeting V6_260528 is available as soon as the affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS 8.5 HIGH score, adjacent-network attack vector context, and the admin-credential prerequisite noted, so reviewers can prioritize accurately.

See how HarborGuard automates this

Fix available

V6_260528

Patch commits

Affected packages

TP-Link Systems Inc. / TL-WR940N v6
< V6_260528 (from 0)

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available