HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11410Published Modified CNA TPLink

CVE-2026-11410: OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N

An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
V6_260528
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module of the TP-Link TL-WR940N v6 router. An attacker on the same local network segment with administrative credentials can inject arbitrary operating system commands through unsanitized input fields in the configuration interface. Successful exploitation grants execution of arbitrary commands with elevated privileges, enabling full device compromise including data disclosure, configuration tampering, and potential service disruption. A patched-image rebuild at version V6_260528 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11410 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from TP-Link TL-WR940N v6 firmware bases.

Available
Triage

HarborGuard scores this CVE at 8.5 HIGH per the CVSS v4.0 vector and weights that score against each customer org's active compliance policy to determine breach thresholds. Triage tickets are routed automatically to the team or inbox configured for network-device firmware findings within each environment.

Available
Patch

A patched-image rebuild pinned to firmware version V6_260528 is available on HarborGuard for any environment running an affected TL-WR940N v6 image. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on the same adjacent network, such as a LAN or VPN segment, to reach the device's administrative interface; remote internet-based exploitation is not possible without additional network access.

  • AuthenticationRequired

    An administrative account is required; the attacker must already hold or obtain high-privilege credentials on the router before exploitation is possible.

  • Victim interactionNot required

    No action from a logged-in user or any other person is needed; the attacker can trigger the injection entirely through their own requests to the configuration interface.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, special memory layouts, or environmental dependencies are required to inject and execute commands.

Blast Radius

  • Reads device configuration data including stored credentials, WAN authentication tokens, and network topology details.
  • Modifies router configuration including firewall rules, DNS settings, and routing tables, enabling traffic interception or redirection.
  • Executes arbitrary OS commands with elevated privileges, allowing installation of persistent backdoors or malicious firmware components.
  • Crashes or disrupts the routing and WAN services, cutting off internet connectivity for all devices on the affected network segment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images as soon as it is ingested, typically within minutes of upstream publication. For environments running TL-WR940N v6 images at versions below V6_260528, a patched rebuild at V6_260528 is available immediately. Where customers have auto-remediation enabled, HarborGuard triggers the rebuild, executes a regression test run against the resulting image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation active. Because exploitation requires adjacent-network access and admin credentials, teams without auto-remediation enabled should prioritize restricting management-interface access via network policy (for example, isolating the router admin VLAN or enforcing egress filtering on the configuration port) as a compensating control while scheduling the manual upgrade.

See how HarborGuard automates this

Fix available

V6_260528
Patch commits
Affected packages
  • TP-Link Systems Inc. / TL-WR940N v6
    < V6_260528 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References