CVE-2026-3841

High

Published: 12 March 2026

Published

12 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0064 70.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able…

to execute arbitrary system commands. Successful exploitation may lead to full device compromise, including potential loss of confidentiality, integrity, and availability.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Firmware updates directly remediate the command injection flaw caused by insufficient sanitization in the Telnet CLI.

SI-10 Information Input Validation good match

prevent

Requires implementation of input validation mechanisms at CLI entry points to sanitize data and block arbitrary command execution.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict elevated access, limiting the damage potential from exploited command injection in the CLI.

Security SummaryAI

CVE-2026-3841, published on 2026-03-12, is a command injection vulnerability (CWE-78) in the Telnet command-line interface (CLI) of the TP-Link TL-MR6400 router version 5.3. The issue stems from insufficient sanitization of data processed during specific CLI operations, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with elevated privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Exploitation enables execution of arbitrary system commands, potentially leading to full device compromise, including loss of confidentiality, integrity, and availability.

TP-Link provides mitigation via firmware updates, such as version 5.30 available for download at https://www.tp-link.com/en/support/download/tl-mr6400/v5.30/#Firmware. Additional advisory details are outlined in their support FAQ at https://www.tp-link.com/us/support/faq/5016/.

Details

CWE(s): CWE-78

Affected Products

tp-link

tl-mr6400 firmware

≤ 1.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Command injection in Telnet CLI directly enables abuse of Network Device CLI (T1059.008) and exploitation of remote services (T1210) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.tp-link.com/en/support/download/tl-mr6400/v5.30/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/5016/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630