OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N

Vulnerability

An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module of TP-Link TL-WR940N v6. The vulnerability arises from improper sanitization of user-supplied input before it is incorporated into system command execution. Affected firmware versions are those prior to V6_260528. [3]

Exploitation

An attacker must have administrative access to the web management interface. Once authenticated, the attacker can craft malicious input in the BPA configuration parameters, which are not properly sanitized, leading to injection of arbitrary system commands. [3]

Impact

Successful exploitation allows execution of arbitrary system commands with elevated privileges. This can lead to disclosure of sensitive information, modification of system configuration, and disruption of device availability, affecting confidentiality, integrity, and availability. [3]

Mitigation

TP-Link has released firmware version V6_260528 to fix this vulnerability. Users should update to this version via the official download pages [1][2]. Note that the TL-WR940N v6 has reached end-of-life (EOL); therefore, upgrading to a supported model is strongly recommended for ongoing security updates. [3]