Analysis Summary

Multiple critical SQL injection vulnerabilities have been discovered in several TP-Link router models, exposing users to severe risks, including unauthorized access and full device compromise. Discovered by a security researcher, these flaws affect the login dashboards of TP-Link routers such as the EAP120, TL-WR840N, M7200, and M7450, all of which fail to properly sanitize input fields. These vulnerabilities enable unauthenticated attackers to inject malicious SQL code through the username and password fields, bypassing authentication mechanisms and gaining administrative control of the devices.

Each vulnerability is cataloged under a separate CVE. CVE-2025-29648 targets the TP-Link EAP120 (v1.0), allowing login bypass through SQL injection. CVE-2025-29649 affects the TL-WR840N (v1.0), where attackers can gain full control of the router, manipulate DNS, and intercept traffic. CVE-2025-29650 impacts the M7200 4G LTE Mobile Wi-Fi Router (firmware 1.0.7 Build 180127), allowing threat actors to steal credentials, conduct reconnaissance, and establish persistent access. Lastly, CVE-2025-29653 compromises the M7450 Mobile Wi-Fi Router (firmware 1.0.2 Build 170306), risking exposure of cellular data and IMSI information due to input sanitization flaws and unchanged default credentials.

These vulnerabilities are rated (Critical) on the scale due to their high potential impact and low exploitation complexity. They require only network access to the device’s web interface and do not demand authentication. Once exploited, attackers can intercept user communications, redirect traffic via DNS manipulation, and use the router as a pivot point to attack other systems within the network. The widespread use of these routers in both home and business environments amplifies the threat landscape significantly.

TP-Link has been informed, but no official patches have been released at the time of this publication. Users are advised to take immediate mitigation steps, including changing default administrative credentials, disabling remote management, and applying the latest available firmware updates. Additionally, network administrators should employ traffic monitoring tools to detect unusual behavior and remain vigilant for official security updates from TP-Link. These measures can help minimize risk until permanent fixes are provided.

Impact

• Sensitive Credential Theft
• SQL Injection
• Unauthorize Access

Indicators of Compromise

CVE

• CVE-2025-29648

• CVE-2025-29649

• CVE-2025-29650

• CVE-2025-29653

Affected Vendors

Remediation

• Change default admin credentials immediately to strong, unique passwords.
• Disable remote management features on the router unless absolutely necessary.
• Update router firmware to the latest available version from TP-Link's official website.
• Use network monitoring tools to detect unusual or suspicious activity on your network.
• Limit access to the web management interface to trusted local devices only.
• Segment the network to reduce the impact if a router is compromised (e.g., separate guest and internal networks).
• Stay informed through TP-Link security advisories for upcoming patches or updates.
• Consider replacing vulnerable devices with newer, secure models if no patch becomes available.