PatchSiren cyber security CVE debrief
CVE-2023-6437 TP-Link CVE debrief
CVE-2023-6437 is a critical OS command injection issue associated with several TP-Link router models. The CVE description says the flaw allows authenticated OS command injection in TP-Link EX20v AX1800, Archer C5v AC1200, TD-W9970, TD-W9970v3, VX220-G2u, and VN020-G2u, with some models noted as no longer produced and supported. NVD rates the issue as CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). For defenders, the main concern is fast inventory, exposure reduction, and replacement planning for unsupported units.
- Vendor
- TP-Link
- Product
- TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3, TP-Link VX220-G2u, TP-Link VN020-G2u
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-03-28
- Original CVE updated
- 2026-05-20
- Advisory published
- 2024-03-28
- Advisory updated
- 2026-05-20
Who should care
Network and security teams responsible for the listed TP-Link router models, especially environments with remote management exposure or unsupported VX220-G2u and VN020-G2u devices. MSPs and IT teams managing branch, home-office, or small-office router fleets should also prioritize review.
Technical summary
The record maps CVE-2023-6437 to CWE-78 (OS command injection). The narrative description states the issue allows authenticated command injection on affected TP-Link devices, while the NVD CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which does not reflect an authentication requirement. NVD marks the vulnerability status as Deferred, so remediation detail in the public record is limited.
Defensive priority
Immediate. Treat the issue as critical for any confirmed affected device and prioritize inventory, containment, and remediation or replacement. Unsupported devices should be treated as replacement candidates rather than long-term patch targets.
Recommended defensive actions
- Inventory all TP-Link devices and confirm whether any of the listed models are in use, including branch or remote sites.
- Check for a vendor-provided firmware update or security bulletin for each confirmed model and apply it if available.
- For VX220-G2u and VN020-G2u units noted as no longer produced and supported, plan expedited replacement.
- Restrict administrative access to trusted management hosts and networks until the device can be updated or replaced.
- Segment or isolate affected devices from sensitive internal resources if they must remain in service temporarily.
- Review device configuration and access logs for unexpected changes or signs of unauthorized command execution.
Evidence notes
The supplied corpus identifies the issue in the CVE record and NVD detail page, with official USOM references included by NVD. The record explicitly states the affected TP-Link model names and the unsupported-status note for some units. NVD lists CWE-78 and marks the vulnerability status as Deferred, which suggests the public record may not include complete remediation guidance. The corpus also contains a narrative/CVSS privilege-level inconsistency: the description says authenticated injection, while the CVSS vector uses PR:N.
Official resources
Publicly disclosed in the CVE record on 2024-03-28; the NVD record was last modified on 2026-05-20.