Details of VAR-202512-4914

ID

VAR-202512-4914

CVE

CVE-2025-14737

TITLE

TP-LINK Technologies of TL-WA850RE in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2025-025094

DESCRIPTION

Command Injection vulnerability in TP-Link WA850RE (httpd modules) allows authenticated adjacent attacker to inject arbitrary commands.This issue affects: ≤ WA850RE V2_160527, ≤ WA850RE V3_160922. This issue is addressed in: WA850RE V2_160527 and WA850RE V3_160922 The following versions are affected:All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software may stop working completely. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2025-14737 // JVNDB: JVNDB-2025-025094

AFFECTED PRODUCTS

vendor:	tp link	model:	tl-wa850re	scope:	lte	version:	160527	Trust: 1.0
vendor:	tp link	model:	tl-wa850re	scope:	lte	version:	160922	Trust: 1.0
vendor:	tp link	model:	tl-wa850re	scope:	lte	version:	tl-wa850re firmware 160527 and earlier	Trust: 0.8
vendor:	tp link	model:	tl-wa850re	scope:	-	version:	-	Trust: 0.8
vendor:	tp link	model:	tl-wa850re	scope:	eq	version:	-	Trust: 0.8
vendor:	tp link	model:	tl-wa850re	scope:	lte	version:	tl-wa850re firmware 160922 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2025-025094 // NVD: CVE-2025-14737

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-14737
value:	HIGH
Trust: 1.0
f23511db-6c3e-4e32-a477-6aa17d310630:	CVE-2025-14737
value:	HIGH
Trust: 1.0
NVD:	CVE-2025-14737
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2025-14737
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2025-14737
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-025094 // NVD: CVE-2025-14737 // NVD: CVE-2025-14737

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-025094 // NVD: CVE-2025-14737

PATCH

title:

TP-Link WA850RE Remote Command Injection Vulnerability - Exodus Intelligence TP-LINK TechnologiesTP-Link

url:

https://blog.exodusintel.com/2022/06/23/tp-link-wa850re-remote-command-injection-vulnerability/

Trust: 0.8

sources: JVNDB: JVNDB-2025-025094

EXTERNAL IDS

db:	NVD	id:	CVE-2025-14737	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-025094	Trust: 0.8

sources: JVNDB: JVNDB-2025-025094 // NVD: CVE-2025-14737

REFERENCES

url:	https://www.tp-link.com/us/support/download/tl-wa850re/v3/#firmware	Trust: 1.8
url:	https://www.tp-link.com/us/support/download/tl-wa850re/v2/#firmware	Trust: 1.8
url:	https://www.tp-link.com/us/support/faq/4848/	Trust: 1.0
url:	https://blog.exodusintel.com/2022/06/23/tp-link-wa850re-remote-command-injection-vulnerability/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-14737	Trust: 0.8

sources: JVNDB: JVNDB-2025-025094 // NVD: CVE-2025-14737

SOURCES

db:	JVNDB	id:	JVNDB-2025-025094
db:	NVD	id:	CVE-2025-14737

LAST UPDATE DATE

2026-01-23T23:11:43.684000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-025094	date:	2026-01-22T02:34:00
db:	NVD	id:	CVE-2025-14737	date:	2026-01-20T19:05:47.277

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-025094	date:	2026-01-22T00:00:00
db:	NVD	id:	CVE-2025-14737	date:	2025-12-18T18:15:45.027