CVE-2021-3125
7.5 HIGHIn TP-Link TL-XDR3230 < 1.0.12, TL-XDR1850 < 1.0.9, TL-XDR1860 < 1.0.14, TL-XDR3250 < 1.0.2, TL-XDR6060 Turbo < 1.1.8, TL-XDR5430 < 1.0.1...
Published: 2021-04-12 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-834
Affected products
| Vendor | Product |
|---|---|
| tp-link | tl-xdr1850_firmware, tl-xdr1860_firmware, tl-xdr3230_firmware |
Description
In TP-Link TL-XDR3230 < 1.0.12, TL-XDR1850 < 1.0.9, TL-XDR1860 < 1.0.14, TL-XDR3250 < 1.0.2, TL-XDR6060 Turbo < 1.1.8, TL-XDR5430 < 1.0.11, and possibly others, when IPv6 is used, a routing loop can occur that generates excessive network traffic between an affected device and its upstream ISP's router. This occurs when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3125
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8719.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8720.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8722.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8723.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8724.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8725.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8719.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8720.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8722.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8723.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8724.html
- [Vendor advisory]https://service.tp-link.com.cn/detail_download_8725.html
Related CVEs
Same vendor
- CVE-2026-6250 — An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input (8.1 HIGH)
- CVE-2026-1871 — TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorizat... (6.5 MEDIUM)
- CVE-2026-34127 — A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch d... (4.8 MEDIUM)
- CVE-2026-34126 — TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication du... (7.5 HIGH)
- CVE-2026-8697 — Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited aut... (8.8 HIGH)
Same CWE
- CVE-2026-45680 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (5.9 MEDIUM)
- CVE-2026-48156 — pypdf is a free and open-source pure-python PDF library (3.3 LOW)
- CVE-2021-39204 — Pomerium is an open source identity-aware access proxy (7.5 HIGH)
- CVE-2021-3128 — In ASUS RT-AX3000, ZenWiFi AX (XT8), RT-AX88U, and other ASUS routers with firmware < 3.0.0.4.386.42095 or < 9.0.0.4.386.41994, when IPv6... (7.5 HIGH)