CVE-2020-36178

Name of the Vulnerable Software and Affected Versions: TP-Link TL-WR840N version 6 EU 0.9.1 4.16

Description: The issue allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to the system library function (for iptables). This is specifically related to the oal ipt addBridgeIsolationRules function, which is not the only function that calls util execSystem.

Recommendations: For TP-Link TL-WR840N version 6 EU 0.9.1 4.16, consider disabling the oal ipt addBridgeIsolationRules function until a patch is available to prevent OS command injection. Restrict access to the IP address field in the web interface to minimize the risk of exploitation. Avoid using the IP address field in the affected web interface until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.