CVE-2023-50224
Published: 03 May 2024
Summary
CVE-2023-50224 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 18.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2023-50224 is an improper authentication vulnerability in the httpd service of TP-Link TL-WR841N routers that permits disclosure of stored credentials. The flaw resides in the dropbearpwd component and affects installations listening on the default TCP port 80; no authentication is required to trigger it. The issue was originally reported as ZDI-CAN-19899 and carries a CVSS 3.0 score of 6.5 with an adjacent-network attack vector.
A network-adjacent attacker can exploit the weakness to retrieve sensitive credential information from the device, which may then be used to obtain further access or perform additional compromise of the router and attached networks.
TP-Link has published updated firmware for the TL-WR841N v12 on its support site, and the Zero Day Initiative advisory ZDI-23-1808 provides corresponding technical details. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-55046
- 🇬🇧 UK NCSC: APT28 exploit routers to enable DNS hijacking operations
Vulnerability details
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service,…
more
which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899.
- CWE(s)
- KEV Date Added
- 03 September 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication checks on the httpd service before allowing access to stored credentials such as those exposed via dropbearpwd.
Limits actions permitted without identification or authentication, preventing unauthenticated retrieval of credentials on TCP port 80.
Monitors for unauthorized information disclosure attempts targeting the web interface that bypass authentication.