Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Deco M5 Deco M5 V1 by TP-Link Systems Inc.

    CVE-2026-5040 (GCVE-0-2026-5040)

    Vulnerability from nvd – Published: 2026-07-14 18:00 – Updated: 2026-07-15 10:27
    VLAI
    Title
    Weak Password Hashing Mechanism in TP-Link Deco M5
    Summary
    TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-916 - Use of Password Hash With Insufficient Computational Effort
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Deco M5 Deco M5 V1 Affected: 0 , < 1.9.4 Build 20260312 Rel.17129 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5040",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:01:00.675503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:27:47.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Deco M5 Deco M5 V1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.9.4 Build 20260312 Rel.17129",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\u003cbr\u003eSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.\u0026nbsp;\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\nSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-916",
                  "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:00:32.162Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "url": "https://www.tp-link.com/us/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/en/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/us/support/faq/5190/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Weak Password Hashing Mechanism in TP-Link Deco M5",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-5040",
        "datePublished": "2026-07-14T18:00:32.162Z",
        "dateReserved": "2026-03-27T16:26:49.615Z",
        "dateUpdated": "2026-07-15T10:27:47.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5040 (GCVE-0-2026-5040)

    Vulnerability from cvelistv5 – Published: 2026-07-14 18:00 – Updated: 2026-07-15 10:27
    VLAI
    Title
    Weak Password Hashing Mechanism in TP-Link Deco M5
    Summary
    TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-916 - Use of Password Hash With Insufficient Computational Effort
    Assigner
    Impacted products
    Vendor Product Version
    TP-Link Systems Inc. Deco M5 Deco M5 V1 Affected: 0 , < 1.9.4 Build 20260312 Rel.17129 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5040",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T04:01:00.675503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:27:47.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Deco M5 Deco M5 V1",
              "vendor": "TP-Link Systems Inc.",
              "versions": [
                {
                  "lessThan": "1.9.4 Build 20260312 Rel.17129",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\u003cbr\u003eSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.\u0026nbsp;\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials.  An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.\n\nSuccessful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-55",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-55 Rainbow Table Password Cracking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-916",
                  "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:00:32.162Z",
            "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
            "shortName": "TPLink"
          },
          "references": [
            {
              "url": "https://www.tp-link.com/us/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/en/support/download/deco-m5/v1/#Firmware"
            },
            {
              "url": "https://www.tp-link.com/us/support/faq/5190/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Weak Password Hashing Mechanism in TP-Link Deco M5",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "assignerShortName": "TPLink",
        "cveId": "CVE-2026-5040",
        "datePublished": "2026-07-14T18:00:32.162Z",
        "dateReserved": "2026-03-27T16:26:49.615Z",
        "dateUpdated": "2026-07-15T10:27:47.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }