CVE-2025-11676

Vulnerability

Overview

CVE-2025-11676 is an improper input validation vulnerability in the UPnP (Universal Plug and Play) module of the TP-Link TL-WR940N V6 router. The flaw exists in firmware builds up to and including Build 220801, where the UPnP service fails to properly validate incoming requests. This lack of validation allows an attacker to send specially crafted network packets that can crash or hang the UPnP service, leading to a denial-of-service (DoS) condition [1][2][3].

Attack

Vector and Exploitation

The vulnerability is exploitable from an adjacent network, meaning the attacker must be within the same local network segment as the target router (e.g., connected to the same Wi-Fi or wired LAN). No authentication is required to trigger the flaw; the attacker simply sends malicious UPnP requests to the router's UPnP endpoint. The attack does not require any special privileges or user interaction, making it relatively easy to execute once the attacker gains network proximity [3].

Impact

Successful exploitation results in the UPnP service becoming unavailable. While the core routing and internet connectivity functions of the router may remain operational, the loss of UPnP can disrupt services that rely on automatic port forwarding, such as online gaming, peer-to-peer applications, and certain IoT devices. The CVSS v4.0 base score is 7.1 (High), with the primary impact being on availability (VA:H) and no impact on confidentiality or integrity [3].

Mitigation

TP-Link has released fixed firmware versions (Build 250919 and Build 250925) for the TL-WR940N V6. Users are strongly advised to download and install the latest firmware from the official TP-Link's official support pages to eliminate the vulnerability [1][2][3]. No workarounds are documented; updating the firmware is the only recommended mitigation.