CVE-2026-3841
Published: 12 March 2026
Summary
CVE-2026-3841 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Tl-Mr6400 Firmware. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 24.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A command injection vulnerability exists in the Telnet command-line interface of the TP-Link TL-MR6400 v5.3 router. The flaw stems from insufficient sanitization of data during specific CLI operations and is tracked under CWE-78. It carries a CVSS 4.0 score of 8.5 with an attack vector of adjacent network and high privileges required.
An authenticated attacker who already possesses elevated privileges on the device can supply crafted input to execute arbitrary system commands. Successful exploitation grants full control of the router, resulting in loss of confidentiality, integrity, and availability of the device and any connected network resources.
TP-Link publishes updated firmware for the TL-MR6400 v5.3 series and related support documentation at the referenced URLs. The current EPSS score of 0.0074 with a recorded peak of 0.0102 reflects limited observed exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11655
Vulnerability details
A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able…
more
to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Telnet CLI directly enables abuse of Network Device CLI (T1059.008) and exploitation of remote services (T1210) for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the CWE-78 command injection by requiring validation and sanitization of all CLI input before processing.
Requires timely application of the vendor firmware update that eliminates the unsanitized Telnet CLI code path.
Limits the population of accounts that possess the elevated privileges required to reach the vulnerable CLI operations.