Vulnerability intelligence

CVE-2023-50224

TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability

TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899.

CVSS Score

6.5

Medium

EPSS — Exploit Probability

1.5%

Riskier than 81% of all CVEs

Exploitation

Confirmed in the wild

Used in ransomware campaigns

Remediation

Patch available

Federal deadline 2025-09-24

CISA required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2025-09-24.

NVD entry Vendor patch PoC / advisory CISA KEV

3 articles across 3 outlets · first covered Apr 7, 2026 · latest Apr 9, 2026

Associated threat actors

APT28

Coverage timeline

Trend Micro Exposes Fancy Bears Prismex Malware Targeting Ukraine
www.darkreading.com · Apr 9, 2026
APT28 hijacks routers worldwide in DNS based FrostArmada campaign
thehackernews.com · Apr 7, 2026
APT28 exploits SOHO routers via CVE‑2023‑50224 to steal credentials
www.infosecurity-magazine.com · Apr 7, 2026

Related CVEs — TP-Link

CVE-2023-1389KEV CVE-2023-33538KEV