CVE-2026-3841
Published: 12 March 2026
Summary
CVE-2026-3841 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Tl-Mr6400 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 26.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Firmware updates directly remediate the command injection flaw caused by insufficient sanitization in the Telnet CLI.
Requires implementation of input validation mechanisms at CLI entry points to sanitize data and block arbitrary command execution.
Enforces least privilege to restrict elevated access, limiting the damage potential from exploited command injection in the CLI.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Telnet CLI directly enables abuse of Network Device CLI (T1059.008) and exploitation of remote services (T1210) for arbitrary command execution.
NVD Description
A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able…
more
to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability.
Deeper analysisAI
CVE-2026-3841, published on 2026-03-12, is a command injection vulnerability (CWE-78) in the Telnet command-line interface (CLI) of the TP-Link TL-MR6400 router version 5.3. The issue stems from insufficient sanitization of data processed during specific CLI operations, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with elevated privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Exploitation enables execution of arbitrary system commands, potentially leading to full device compromise, including loss of confidentiality, integrity, and availability.
TP-Link provides mitigation via firmware updates, such as version 5.30 available for download at https://www.tp-link.com/en/support/download/tl-mr6400/v5.30/#Firmware. Additional advisory details are outlined in their support FAQ at https://www.tp-link.com/us/support/faq/5016/.
Details
- CWE(s)