CVE-2023-50224

What is the TP-Link TL-WR841N?

The TP-Link TL-WR841N is a consumer-grade 300 Mbps wireless router widely deployed in home and small office environments. It provides wireless LAN connectivity, NAT routing, and a web-based management interface accessible via the httpd service on TCP port 80. The management interface allows configuration of Wi-Fi settings, passwords, port forwarding, and other router parameters — and consequently stores sensitive credentials including the router admin password, Wi-Fi pre-shared keys, and in some configurations PPPoE broadband account credentials. TP-Link has designated the TL-WR841N as end-of-life (EoL), and no firmware patches are available or planned for this device.

Overview

CVE-2023-50224 is an authentication bypass by spoofing vulnerability (CWE-290) in the TP-Link TL-WR841N's httpd web management service. An attacker on the same network as the router can bypass authentication and access the management interface — including stored credentials — without providing valid login credentials. The AV:A (adjacent) CVSS metric reflects that exploitation requires LAN access, but once an attacker is on the same network segment (or through Wi-Fi), no authentication is needed to retrieve sensitive credentials stored on the device.

The CVE was assigned with a 2023 identifier but not formally published until May 2024, and not added to the CISA KEV catalog until September 2025 — reflecting detection of ongoing exploitation of deployed EoL devices long after the CVE was identified.

Affected Versions

Technical Details

Authentication bypass by spoofing (CWE-290) occurs when an authentication mechanism can be circumvented by presenting data that incorrectly appears to satisfy the authentication requirement. In the TL-WR841N's httpd service:

• The web management interface on TCP port 80 uses a session-based or cookie-based authentication mechanism
• A flaw in the authentication check logic allows a request that mimics or spoofs the appearance of an authenticated session to bypass the credential verification
• Once authentication is bypassed, the attacker gains access to the full management interface, including any stored credentials visible through the web UI

The C:H (high confidentiality) impact reflects that the stored credentials — Wi-Fi passwords, router admin credentials, and potentially ISP broadband credentials — are fully exposed to an unauthenticated adjacent attacker. The I:N/A:N (no integrity or availability impact) in the CVSS score reflects that the vulnerability is specifically for credential disclosure rather than router configuration modification, though an attacker with the admin password could subsequently make configuration changes.

Discovery

The vulnerability was identified in the TL-WR841N and assigned CVE-2023-50224, but formal NVD publication was delayed until May 2024. CISA's September 2025 KEV addition is consistent with a pattern of delayed exploitation detection for EoL consumer networking devices: these routers remain deployed for many years after end-of-life and are routinely targeted by botnet operators and threat actors aware that patches will never be released.

Exploitation Context

End-of-life consumer routers are a persistent exploitation target because:

• They remain deployed for years or decades after vendor support ends
• They receive no security patches for newly discovered vulnerabilities
• They are often forgotten by end users who do not monitor router security advisories
• Compromised routers provide a persistent foothold on the local network for traffic interception, credential theft, and lateral movement to connected devices

Credential exfiltration from routers — particularly Wi-Fi PSKs — enables attackers to authenticate to the network from outside, providing a persistent access vector even if the router itself is later replaced.

Remediation

1. Replace the TL-WR841N with a supported router — as an EoL device, no firmware patch will be released; replacement with a current, actively supported router is the only complete remediation.
2. Restrict management interface access — if immediate replacement is not possible, block external and Wi-Fi client access to TCP port 80 on the router via firewall rules or VLAN segmentation.
3. Change router credentials — rotate the router admin password and Wi-Fi PSK to limit the impact if the bypass was previously exploited.
4. Disable remote management — ensure the router's remote management feature (if enabled) is disabled to prevent exploitation from outside the local network.
5. Network segmentation — isolate legacy EoL networking equipment on a separate VLAN away from sensitive systems, limiting an attacker's lateral movement from a compromised router.