VA-26-119-02
Vulnerability from csaf_cisa - Published: 2026-04-29 14:27 - Updated: 2026-04-29 14:27Summary
TP-Link WR841N Router multiple vulnerabilities
Notes
Legal Notice: All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed: Worldwide
Critical Infrastructure Sectors: Information Technology
Risk Evaluation: Multiple TP-Link products (TP-Link Archer C20 V5, Archer C20 6.0, Archer AX53 v1.0 and TL-WR841N v13) are affected by multiple vulnerabilities. The most severe of these vulnerabilities could allow an adjacent, unauthenticated attacker to execute administrative commands.
Recommended Practices: Update to the versions specified in the TP-Link advisory.
Company Headquarters Location: United States
8.3 (High)
Vendor Fix
Fixed in 0.9.1 Build 20231120 Rel.62366.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in 0.9.1 Build 20231120 Rel.62366.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in V6_251031.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in V6_251031.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in US_V5_260419.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in US_V5_260419.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in EU_V5_260317.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in EU_V5_260317.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in V1_251215.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in V1_251215.
https://www.tp-link.com/us/support/faq/4905/
8.3 (High)
Vendor Fix
Fixed in 0.9.1 Build 20231120 Rel.62366.
https://www.tp-link.com/us/support/faq/4905/
Vendor Fix
Fixed in 0.9.1 Build 20231120 Rel.62366.
https://www.tp-link.com/us/support/faq/4905/
References
Acknowledgments
Dream Group
Ben Grinberg
Adiel Sol
Daniel Lubel
Erez Cohen
Nir Somech
Arad Inbar
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
"title": "Legal Notice"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries and Areas Deployed"
},
{
"category": "other",
"text": "Information Technology",
"title": "Critical Infrastructure Sectors"
},
{
"category": "summary",
"text": "Multiple TP-Link products (TP-Link Archer C20 V5, Archer C20 6.0, Archer AX53 v1.0 and TL-WR841N v13) are affected by multiple vulnerabilities. The most severe of these vulnerabilities could allow an adjacent, unauthenticated attacker to execute administrative commands.",
"title": "Risk Evaluation"
},
{
"category": "general",
"text": "Update to the versions specified in the TP-Link advisory.",
"title": "Recommended Practices"
},
{
"category": "other",
"text": "United States",
"title": "Company Headquarters Location"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "https://www.cisa.gov/report",
"issuing_authority": "CISA",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "Vulnerability Advisory VA-26-119-02 CSAF",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-119-02.json"
}
],
"title": "TP-Link WR841N Router multiple vulnerabilities",
"tracking": {
"current_release_date": "2026-04-29T14:27:50Z",
"generator": {
"engine": {
"name": "VINCE-NT",
"version": "1.14.0+build.69"
}
},
"id": "VA-26-119-02",
"initial_release_date": "2026-04-29T14:27:50Z",
"revision_history": [
{
"date": "2026-04-29T14:27:50Z",
"number": "1.0.0",
"summary": "Initial publication"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV1_251215",
"product": {
"name": "TP-Link Systems Inc. Archer AX53 v1.0 \u003cV1_251215",
"product_id": "CSAFPID-0001"
}
},
{
"category": "product_version",
"name": "V1_251215",
"product": {
"name": "TP-Link Systems Inc. Archer AX53 v1.0 V1_251215",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Archer AX53 v1.0"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cUS_V5_260419",
"product": {
"name": "TP-Link Systems Inc. Archer C20 V5 \u003cUS_V5_260419",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version",
"name": "US_V5_260419",
"product": {
"name": "TP-Link Systems Inc. Archer C20 V5 US_V5_260419",
"product_id": "CSAFPID-0004"
}
},
{
"category": "product_version_range",
"name": "\u003cEU_V5_260317",
"product": {
"name": "TP-Link Systems Inc. Archer C20 V5 \u003cEU_V5_260317",
"product_id": "CSAFPID-0005"
}
},
{
"category": "product_version",
"name": "EU_V5_260317",
"product": {
"name": "TP-Link Systems Inc. Archer C20 V5 EU_V5_260317",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "Archer C20 V5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cV6_251031",
"product": {
"name": "TP-Link Systems Inc. Archer C20 v6.0 \u003cV6_251031",
"product_id": "CSAFPID-0007"
}
},
{
"category": "product_version",
"name": "V6_251031",
"product": {
"name": "TP-Link Systems Inc. Archer C20 v6.0 V6_251031",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "Archer C20 v6.0"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c0.9.1 Build 20231120 Rel.62366",
"product": {
"name": "TP-Link Systems Inc. TL-WR841N v13 \u003c0.9.1 Build 20231120 Rel.62366",
"product_id": "CSAFPID-0009"
}
},
{
"category": "product_version",
"name": "0.9.1 Build 20231120 Rel.62366",
"product": {
"name": "TP-Link Systems Inc. TL-WR841N v13 0.9.1 Build 20231120 Rel.62366",
"product_id": "CSAFPID-0010"
}
}
],
"category": "product_name",
"name": "TL-WR841N v13"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c0.9.1 Build 20231120 Rel.62366",
"product": {
"name": "TP-Link Systems Inc. TL-WR841N v13 \u003c0.9.1 Build 20231120 Rel.62366",
"product_id": "CSAFPID-0011"
}
},
{
"category": "product_version",
"name": "0.9.1 Build 20231120 Rel.62366",
"product": {
"name": "TP-Link Systems Inc. TL-WR841N v13 0.9.1 Build 20231120 Rel.62366",
"product_id": "CSAFPID-0012"
}
}
],
"category": "product_name",
"name": "TL-WR841N v13"
}
],
"category": "vendor",
"name": "TP-Link Systems Inc."
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ben Grinberg",
" Adiel Sol",
" Daniel Lubel",
" Erez Cohen",
" Nir Somech",
" Arad Inbar"
],
"organization": "Dream Group"
}
],
"cve": "CVE-2026-0834",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"notes": [
{
"category": "summary",
"text": "Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials.\u00a0Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. Fixed in Archer C20 V6_251031, Archer C20 EU_V5_260317, Archer C20\u00a0US_V5_260419, Archer AX53 V1_251215, TL-WR841N v13\u00a00.9.1 Build 20231120 Rel.62366.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:P/A:N/T:T/2026-04-28T18:11:36Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0010",
"CSAFPID-0008",
"CSAFPID-0004",
"CSAFPID-0006",
"CSAFPID-0002"
],
"known_affected": [
"CSAFPID-0009",
"CSAFPID-0007",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware"
},
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware"
},
{
"category": "external",
"summary": "mattg.systems",
"url": "https://mattg.systems/posts/cve-2026-0834/"
},
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/us/support/download/archer-c20/v5/#Firmware"
},
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware"
},
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware"
},
{
"category": "external",
"summary": "VA-26-119-02 CSAF",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-02.json"
},
{
"category": "external",
"summary": "CVE-2026-0834",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0834"
}
],
"release_date": "2026-01-21T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in 0.9.1 Build 20231120 Rel.62366.",
"product_ids": [
"CSAFPID-0009"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in 0.9.1 Build 20231120 Rel.62366.",
"product_ids": [
"CSAFPID-0010"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in V6_251031.",
"product_ids": [
"CSAFPID-0007"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in V6_251031.",
"product_ids": [
"CSAFPID-0008"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in US_V5_260419.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in US_V5_260419.",
"product_ids": [
"CSAFPID-0004"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in EU_V5_260317.",
"product_ids": [
"CSAFPID-0005"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in EU_V5_260317.",
"product_ids": [
"CSAFPID-0006"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in V1_251215.",
"product_ids": [
"CSAFPID-0001"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in V1_251215.",
"product_ids": [
"CSAFPID-0002"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0009",
"CSAFPID-0007",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0001"
]
}
],
"title": "Logic Vulnerability on TP-Link Archer C20, Archer AX53 and TL-WR841N v13"
},
{
"acknowledgments": [
{
"names": [
"Ben Grinberg",
" Adiel Sol",
" Daniel Lubel",
" Erez Cohen",
" Nir Somech",
" Arad Inbar"
],
"organization": "Dream Group"
}
],
"cve": "CVE-2026-5039",
"cwe": {
"id": "CWE-1394",
"name": "Use of Default Cryptographic Key"
},
"notes": [
{
"category": "summary",
"text": "TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition. Fixed in TL-WR841N v13 0.9.1 Build 20231120 Rel.62366.",
"title": "Description"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2026-04-28T18:14:05Z/",
"title": "SSVC"
}
],
"product_status": {
"fixed": [
"CSAFPID-0010"
],
"known_affected": [
"CSAFPID-0009"
]
},
"references": [
{
"category": "external",
"summary": "www.tp-link.com",
"url": "https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware"
},
{
"category": "external",
"summary": "VA-26-119-02 CSAF",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-02.json"
},
{
"category": "external",
"summary": "CVE-2026-5039",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5039"
}
],
"release_date": "2026-04-23T00:00:00Z",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in 0.9.1 Build 20231120 Rel.62366.",
"product_ids": [
"CSAFPID-0009"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
},
{
"category": "vendor_fix",
"date": "2026-01-21T00:00:00Z",
"details": "Fixed in 0.9.1 Build 20231120 Rel.62366.",
"product_ids": [
"CSAFPID-0010"
],
"url": "https://www.tp-link.com/us/support/faq/4905/"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0009"
]
}
],
"title": "Predictable Default Cryptographic Key Used for DES Encryption in TP-Link TL-WL841N"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…