TP-Link TL-WR802N V4(JP) Command Injection Exploit (CVE-2021-4144)

Isopach · December 21, 2021

I got some leftover giftcards from coming in second in the Japan Chess Sunday Cup Grand Prix and used all of them to purchase routers; this is one of the CVEs I got! Unlike my previous CVE-2020-35576, this vulnerability is present on the latest hardware of the router so I will not be disclosing the exploit details for now.


Affected Firmware

All firmware prior to TL-WR802N V4(JP)_V4_211202

CVSS Base Score: 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Fixed Firmware


Date 2021-12-08
Release notes Command injection脆弱性の修正と、デバイスのセキュリティを強化しました。


So, a quick introduction to this router. It was released in 2016 and has been a very popular and cheap ($18) portable pocket router, ranking top 24th in Amazon JP at time of report.

Although being released 5 years ago, there was only one firmware patch per hardware version and thus many security features were absent. This led me to choosing it as my next target!

Bug Discovery via QEMU Analysis

This is redacted.

The Exploit

This is also redacted.


I would like to thank my company, PwC Japan for giving me a lot of free time during work which resulted in me discovering yet another router CVE.


TP-Link took some time to respond to this one and the disclosure was delayed by 6 months.

2021-06-24 00:21:34 JST - Reported to Vendor (security[at]
2021-06-25 11:09:13 JST - Vendor acknowledgement and reply
2021-07-28 19:51:55 JST - Asked Vendor for updates
2021-11-05 07:49:23 JST - Asked Vendor for updates
2021-11-05 12:36:45 JST - Vendor replied with beta firmware dated 2021 June & said they did not receive the July email
2021-11-06 03:52:01 JST - Replied to Vendor confirming fixes
2021-11-06 04:47:00 JST - Contacted JPCERT/CC for coordinated disclosure
2021-11-08 21:09:10 JST - Acknowledgement from Vendor
2021-11-10 02:16:00 JST - Acknowledgement from JPCERT/CC
2021-12-08 16:03:00 JST - Vendor officially released firmware
2021-12-10 02:44:58 JST - JVN draft received from JPCERT/CC
2021-12-21 17:51:00 JST - CVE number assigned by JPCERT/CC
2021-12-22 07:15:59 JST - Blog post published

Twitter, Facebook