{"document": {"category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": {"category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/"}, "title": "TP-Link WR841N Router multiple vulnerabilities", "tracking": {"current_release_date": "2026-04-29T14:27:50Z", "generator": {"engine": {"name": "VINCE-NT", "version": "1.14.0+build.69"}}, "id": "VA-26-119-02", "initial_release_date": "2026-04-29T14:27:50Z", "status": "final", "version": "1.0.0", "revision_history": [{"number": "1.0.0", "summary": "Initial publication", "date": "2026-04-29T14:27:50Z"}]}, "distribution": {"tlp": {"label": "WHITE"}}, "notes": [{"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer"}, {"text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other"}, {"text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other"}, {"text": "Multiple TP-Link products (TP-Link Archer C20 V5, Archer C20 6.0, Archer AX53 v1.0 and TL-WR841N v13) are affected by multiple vulnerabilities. The most severe of these vulnerabilities could allow an adjacent, unauthenticated attacker to execute administrative commands.", "title": "Risk Evaluation", "category": "summary"}, {"text": "Update to the versions specified in the TP-Link advisory.", "title": "Recommended Practices", "category": "general"}, {"text": "United States", "title": "Company Headquarters Location", "category": "other"}], "references": [{"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-119-02.json", "summary": "Vulnerability Advisory VA-26-119-02 CSAF", "category": "self"}]}, "product_tree": {"branches": [{"category": "vendor", "name": "TP-Link Systems Inc.", "branches": [{"category": "product_name", "name": "Archer AX53 v1.0", "branches": [{"category": "product_version_range", "name": "<V1_251215", "product": {"name": "TP-Link Systems Inc. Archer AX53 v1.0 <V1_251215", "product_id": "CSAFPID-0001"}}, {"category": "product_version", "name": "V1_251215", "product": {"name": "TP-Link Systems Inc. Archer AX53 v1.0 V1_251215", "product_id": "CSAFPID-0002"}}]}, {"category": "product_name", "name": "Archer C20 V5", "branches": [{"category": "product_version_range", "name": "<US_V5_260419", "product": {"name": "TP-Link Systems Inc. Archer C20 V5 <US_V5_260419", "product_id": "CSAFPID-0003"}}, {"category": "product_version", "name": "US_V5_260419", "product": {"name": "TP-Link Systems Inc. Archer C20 V5 US_V5_260419", "product_id": "CSAFPID-0004"}}, {"category": "product_version_range", "name": "<EU_V5_260317", "product": {"name": "TP-Link Systems Inc. Archer C20 V5 <EU_V5_260317", "product_id": "CSAFPID-0005"}}, {"category": "product_version", "name": "EU_V5_260317", "product": {"name": "TP-Link Systems Inc. Archer C20 V5 EU_V5_260317", "product_id": "CSAFPID-0006"}}]}, {"category": "product_name", "name": "Archer C20 v6.0", "branches": [{"category": "product_version_range", "name": "<V6_251031", "product": {"name": "TP-Link Systems Inc. Archer C20 v6.0 <V6_251031", "product_id": "CSAFPID-0007"}}, {"category": "product_version", "name": "V6_251031", "product": {"name": "TP-Link Systems Inc. Archer C20 v6.0 V6_251031", "product_id": "CSAFPID-0008"}}]}, {"category": "product_name", "name": "TL-WR841N v13", "branches": [{"category": "product_version_range", "name": "<0.9.1 Build 20231120 Rel.62366", "product": {"name": "TP-Link Systems Inc. TL-WR841N v13 <0.9.1 Build 20231120 Rel.62366", "product_id": "CSAFPID-0009"}}, {"category": "product_version", "name": "0.9.1 Build 20231120 Rel.62366", "product": {"name": "TP-Link Systems Inc. TL-WR841N v13 0.9.1 Build 20231120 Rel.62366", "product_id": "CSAFPID-0010"}}]}, {"category": "product_name", "name": "TL-WR841N v13", "branches": [{"category": "product_version_range", "name": "<0.9.1 Build 20231120 Rel.62366", "product": {"name": "TP-Link Systems Inc. TL-WR841N v13 <0.9.1 Build 20231120 Rel.62366", "product_id": "CSAFPID-0011"}}, {"category": "product_version", "name": "0.9.1 Build 20231120 Rel.62366", "product": {"name": "TP-Link Systems Inc. TL-WR841N v13 0.9.1 Build 20231120 Rel.62366", "product_id": "CSAFPID-0012"}}]}]}]}, "vulnerabilities": [{"cve": "CVE-2026-0834", "cwe": {"id": "CWE-290", "name": "Authentication Bypass by Spoofing"}, "notes": [{"category": "summary", "text": "Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials.\u00a0Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. Fixed in Archer C20 V6_251031, Archer C20 EU_V5_260317, Archer C20\u00a0US_V5_260419, Archer AX53 V1_251215, TL-WR841N v13\u00a00.9.1 Build 20231120 Rel.62366.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:P/A:N/T:T/2026-04-28T18:11:36Z/"}], "title": "Logic Vulnerability on TP-Link Archer C20, Archer AX53 and TL-WR841N v13", "product_status": {"known_affected": ["CSAFPID-0009", "CSAFPID-0007", "CSAFPID-0003", "CSAFPID-0005", "CSAFPID-0001"], "fixed": ["CSAFPID-0010", "CSAFPID-0008", "CSAFPID-0004", "CSAFPID-0006", "CSAFPID-0002"]}, "references": [{"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware"}, {"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware"}, {"category": "external", "summary": "mattg.systems", "url": "https://mattg.systems/posts/cve-2026-0834/"}, {"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/us/support/faq/4905/"}, {"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/us/support/download/archer-c20/v5/#Firmware"}, {"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware"}, {"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware"}, {"category": "external", "summary": "VA-26-119-02 CSAF", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-02.json"}, {"category": "external", "summary": "CVE-2026-0834", "url": "https://www.cve.org/CVERecord?id=CVE-2026-0834"}], "scores": [{"cvss_v3": {"baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "products": ["CSAFPID-0009", "CSAFPID-0007", "CSAFPID-0003", "CSAFPID-0005", "CSAFPID-0001"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 0.9.1 Build 20231120 Rel.62366.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0009"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 0.9.1 Build 20231120 Rel.62366.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0010"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in V6_251031.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0007"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in V6_251031.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0008"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in US_V5_260419.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0003"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in US_V5_260419.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0004"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in EU_V5_260317.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0005"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in EU_V5_260317.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0006"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in V1_251215.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0001"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in V1_251215.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0002"], "date": "2026-01-21T00:00:00Z"}], "acknowledgments": [{"organization": "Dream Group", "names": ["Ben Grinberg", " Adiel Sol", " Daniel Lubel", " Erez Cohen", " Nir Somech", " Arad Inbar"]}], "release_date": "2026-01-21T00:00:00Z"}, {"cve": "CVE-2026-5039", "cwe": {"id": "CWE-1394", "name": "Use of Default Cryptographic Key"}, "notes": [{"category": "summary", "text": "TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition. Fixed in TL-WR841N v13 0.9.1 Build 20231120 Rel.62366.", "title": "Description"}, {"category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2026-04-28T18:14:05Z/"}], "title": "Predictable Default Cryptographic Key Used for DES Encryption in TP-Link TL-WL841N", "product_status": {"known_affected": ["CSAFPID-0009"], "fixed": ["CSAFPID-0010"]}, "references": [{"category": "external", "summary": "www.tp-link.com", "url": "https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware"}, {"category": "external", "summary": "VA-26-119-02 CSAF", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-02.json"}, {"category": "external", "summary": "CVE-2026-5039", "url": "https://www.cve.org/CVERecord?id=CVE-2026-5039"}], "scores": [{"cvss_v3": {"baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "products": ["CSAFPID-0009"]}], "remediations": [{"category": "vendor_fix", "details": "Fixed in 0.9.1 Build 20231120 Rel.62366.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0009"], "date": "2026-01-21T00:00:00Z"}, {"category": "vendor_fix", "details": "Fixed in 0.9.1 Build 20231120 Rel.62366.", "url": "https://www.tp-link.com/us/support/faq/4905/", "product_ids": ["CSAFPID-0010"], "date": "2026-01-21T00:00:00Z"}], "acknowledgments": [{"organization": "Dream Group", "names": ["Ben Grinberg", " Adiel Sol", " Daniel Lubel", " Erez Cohen", " Nir Somech", " Arad Inbar"]}], "release_date": "2026-04-23T00:00:00Z"}]}