TP-Link routers are vulnerable based on CVE-2017-13772 Remote Code Execution. An attacker can get control of the router. The exploit relies on the router’s default credentials, which many don’t change. In the worst scenario, an attacker can get access to thousands of devices using a similar mechanism to how botnets like Mirai worked.
U.K. cybersecurity firm, founder of Fidus Information Security Andrew Mabbitt first discovered the bug and reported to TP-Link in October-2017. TP-Link has released patch a few weeks later for the vulnerable WR940N router. Mabbitt warned TP-Link again in January 2018 for TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.
As per the Shodan search “WR740N” more than 1,25,000 routers are vulnerable devices. Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.