Cyber Resilience

CVE-2026-3841

High

Published: 12 March 2026

Published
12 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0177 75.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3841 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Tl-Mr6400 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability exists in the Telnet command-line interface of the TP-Link TL-MR6400 v5.3 router. The flaw stems from insufficient sanitization of data during specific CLI operations and is tracked under CWE-78. It carries a CVSS 4.0 score of 8.5 with an attack vector of adjacent network and high privileges required.

An authenticated attacker who already possesses elevated privileges on the device can supply crafted input to execute arbitrary system commands. Successful exploitation grants full control of the router, resulting in loss of confidentiality, integrity, and availability of the device and any connected network resources.

TP-Link publishes updated firmware for the TL-MR6400 v5.3 series and related support documentation at the referenced URLs. The current EPSS score of 0.0074 with a recorded peak of 0.0102 reflects limited observed exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able…

more

to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection in Telnet CLI directly enables abuse of Network Device CLI (T1059.008) and exploitation of remote services (T1210) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15518Same vendor: Tp-Link
CVE-2025-15519Same vendor: Tp-Link
CVE-2026-22224Same vendor: Tp-Link
CVE-2026-22222Same vendor: Tp-Link
CVE-2025-6542Same vendor: Tp-Link
CVE-2026-30815Same vendor: Tp-Link
CVE-2026-0631Same vendor: Tp-Link
CVE-2026-22221Same vendor: Tp-Link
CVE-2026-0652Same vendor: Tp-Link
CVE-2026-30818Same vendor: Tp-Link

Affected Assets

tp-link
tl-mr6400 firmware
≤ 1.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the CWE-78 command injection by requiring validation and sanitization of all CLI input before processing.

prevent

Requires timely application of the vendor firmware update that eliminates the unsanitized Telnet CLI code path.

prevent

Limits the population of accounts that possess the elevated privileges required to reach the vulnerable CLI operations.

References