TP-Link Archer C50/C20
CVE-2025-6982
MEDIUM
Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Use of Hard-coded Credentials in TP-Link Archer C50 V3(
<=
180703)/V4(
<=
250117
)/V5(
<=
200407
), and C20 V5 (<US_V5_260419 or <EU_V5_260317) allows attackers to decrypt the config.xml files.
AnalysisAI
Hard-coded credentials embedded in TP-Link Archer C50 (V3 through V5) and C20 V5 firmware enable attackers with local network access and limited privileges to decrypt configuration files (config.xml), potentially exposing sensitive network settings, credentials, and device state. CVSS 6.9 reflects high confidentiality impact despite local-only attack vector. EPSS score of 0.03% (10th percentile) suggests low real-world exploitation probability, contradicting the publicly disclosed vulnerability mechanics.
Technical ContextAI
TP-Link Archer routers store configuration data in encrypted XML files (config.xml) on the device filesystem. The vulnerability stems from CWE-798 (use of hard-coded credentials), where the encryption key or decryption mechanism relies on static, unchangeable credentials embedded in firmware. An attacker with local network access who can authenticate to the router management interface (HTTP/HTTPS on port 80/443 or telnet/SSH on legacy versions) can access the filesystem or backup/restore function, retrieve the encrypted config.xml, and decrypt it using the hard-coded credential embedded in the affected firmware versions. The vulnerability affects Archer C50 V3 (≤180703), V4 (≤250117), V5 (≤200407), and C20 V5 (US <260419, EU <260317). Root cause is insufficient key management and failure to implement per-device or per-installation encryption keys.
Affected ProductsAI
TP-Link Archer C50 V3 firmware version 180703 and earlier, Archer C50 V4 firmware version 250117 and earlier, Archer C50 V5 firmware version 200407 and earlier, and TP-Link Archer C20 V5 with firmware US_V5 version 260419 or earlier (or EU_V5 version 260317 or earlier). Full product names are TP-Link Archer C50 and TP-Link Archer C20 dual-band Wi-Fi routers.
RemediationAI
Apply vendor-released firmware patches: for Archer C50 V3/V4/V5, update to the latest firmware version released after the vulnerable versions listed above; for Archer C20 V5, update to firmware US_V5_260419 or later, or EU_V5_260317 or later depending on region. Firmware is available from https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware and regional variants. As a compensating control if patches cannot be applied immediately, restrict management interface access to trusted internal IP addresses only (disable WAN access to HTTP/HTTPS management port via firewall rules), change default admin credentials to strong passwords to prevent unauthorized authenticated access, and physically isolate the router from untrusted local network segments. Caution: compensating controls do not eliminate the vulnerability for users already on the local network; they only reduce the attack surface. Monitor configuration backups and restrict access to any exported config.xml files, as these contain encrypted but now-decryptable sensitive data.
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before
cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models be
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_set
Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in c
Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_sta
TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental
A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized indi
Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the functio
In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today