Cyber Resilience

CVE-2022-25073

CriticalPublic PoC

Published: 24 February 2022

Published
24 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0538 90.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25073 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-25073 is a stack-based buffer overflow (CWE-787) in the dm_fillObjByStr function of the TP-Link TL-WR841Nv14_US_0.9.1_4.18 firmware. The affected component is the web management interface of this consumer wireless router model, which processes attacker-supplied input without adequate bounds checking.

The vulnerability can be exploited by unauthenticated remote attackers over the network. With a CVSS 3.1 score of 9.8, successful exploitation grants arbitrary code execution with full read, write, and control over the device, enabling complete compromise without user interaction.

Public references consist of proof-of-concept repositories that demonstrate the flaw but contain no vendor advisory, firmware patch details, or mitigation guidance. The EPSS score has remained flat at 0.0538 with no material increase since disclosure.

EU & UK References

Vulnerability details

TL-WR841Nv14_US_0.9.1_4.18 routers were discovered to contain a stack overflow in the function dm_fillObjByStr(). This vulnerability allows unauthenticated attackers to execute arbitrary code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
tl-wr841n firmware
0.9.1_4.18

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References