Cyber Resilience

CVE-2023-50224

MediumCISA KEVActive ExploitationEUVD ExploitedUK NCSC Alert

Published: 03 May 2024

Published
03 May 2024
Modified
27 October 2025
KEV Added
03 September 2025
Patch
CVSS Score v3 6.5 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0149 81.5th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-50224 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 18.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2023-50224 is an improper authentication vulnerability in the httpd service of TP-Link TL-WR841N routers that permits disclosure of stored credentials. The flaw resides in the dropbearpwd component and affects installations listening on the default TCP port 80; no authentication is required to trigger it. The issue was originally reported as ZDI-CAN-19899 and carries a CVSS 3.0 score of 6.5 with an adjacent-network attack vector.

A network-adjacent attacker can exploit the weakness to retrieve sensitive credential information from the device, which may then be used to obtain further access or perform additional compromise of the router and attached networks.

TP-Link has published updated firmware for the TL-WR841N v12 on its support site, and the Zero Day Initiative advisory ZDI-23-1808 provides corresponding technical details. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service,…

more

which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899.

CWE(s)
KEV Date Added
03 September 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
tl-wr841n firmware
3.16.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication checks on the httpd service before allowing access to stored credentials such as those exposed via dropbearpwd.

prevent

Limits actions permitted without identification or authentication, preventing unauthenticated retrieval of credentials on TCP port 80.

detect

Monitors for unauthorized information disclosure attempts targeting the web interface that bypass authentication.

References