CVE-2023-46683

Name of the Vulnerable Software and Affected Versions TP-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591

Description A post authentication command injection issue exists when configuring the WireGuard VPN functionality. This can be exploited by sending a specially crafted HTTP request, potentially allowing a remote attacker to execute arbitrary commands. The issue is triggered through ports 80/443.

Recommendations For TP-Link ER7206 Omada Gigabit VPN Router version 1.3.0 build 20230322 Rel.70591, consider disabling the WireGuard VPN functionality until a patch is available to prevent exploitation. Restrict access to ports 80/443 to minimize the risk of arbitrary command injection. As a temporary workaround, limit the use of the HTTP request functionality related to WireGuard VPN configuration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.