Cybersecurity researchers have uncovered critical SQL injection vulnerabilities in four TP-Link router models, enabling attackers to execute malicious commands, bypass authentication, and potentially hijack devices.
The flaws, discovered by researcher The Veteran between February and March 2025, highlight ongoing security risks in widely used networking hardware.
The vulnerabilities impact both enterprise and consumer routers, including mobile Wi-Fi hotspots. Below is a summary of the flaws:
CVE ID | Affected Product | Firmware Version | Discovery Date |
CVE-2025-29648 | TP-Link EAP120 Router | 1.0 | February 2025 |
CVE-2025-29649 | TP-Link TL-WR840N Router | 1.0 | February 2025 |
CVE-2025-29650 | TP-Link M7200 4G LTE Mobile Router | 1.0.7 | March 2025 |
CVE-2025-29653 | TP-Link M7450 4G LTE Mobile Router | 1.0.2 | March 2025 |
All four vulnerabilities stem from unsanitized user input in login dashboards. Attackers can inject malicious SQL statements into username or password fields, exploiting poorly configured authentication mechanisms. Successful exploitation allows:
The Veteran noted, “These flaws are alarmingly straightforward to exploit. Attackers could compromise routers in minutes, turning them into entry points for larger network breaches.”
Compromised routers could enable:
TP-Link has not yet released patches for the affected models as of April 2025. Users of the EAP120, TL-WR840N, M7200, and M7450 are urged to monitor for firmware updates.
The Veteran reported the flaws through standard disclosure channels and published technical analyses on GitHub. “Vendors must adopt stricter input validation protocols,” they emphasized. “These vulnerabilities are preventable with basic security practices.”
As IoT devices proliferate, robust security measures are non-negotiable. TP-Link users should treat these vulnerabilities with urgency and apply patches immediately upon release.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat actor…
A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active exploit,…
Major ransomware campaign targeting UK retailers has escalated as hackers provided BBC News with evidence…
Target application included a username field restricted by a frontend regex filter (/^[a-zA-Z0-9]{1,20}$/), designed to…
Irish Data Protection Commission (DPC) has imposed a landmark €530 million fine on TikTok Technology…
Employee at Elon Musk’s artificial intelligence firm xAI inadvertently exposed a private API key on…