Skip to main content

TP-Link Archer C50/C20 CVE-2025-6982

MEDIUM
Use of Hard-coded Credentials (CWE-798)
2025-07-16 f23511db-6c3e-4e32-a477-6aa17d310630
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 00:14 vuln.today

DescriptionCVE.org

Use of Hard-coded Credentials in TP-Link Archer C50 V3(

<=

180703)/V4(

<=

250117

)/V5(

<=

200407

), and C20 V5 (<US_V5_260419 or <EU_V5_260317) allows attackers to decrypt the config.xml files.

AnalysisAI

Hard-coded credentials embedded in TP-Link Archer C50 (V3 through V5) and C20 V5 firmware enable attackers with local network access and limited privileges to decrypt configuration files (config.xml), potentially exposing sensitive network settings, credentials, and device state. CVSS 6.9 reflects high confidentiality impact despite local-only attack vector. EPSS score of 0.03% (10th percentile) suggests low real-world exploitation probability, contradicting the publicly disclosed vulnerability mechanics.

Technical ContextAI

TP-Link Archer routers store configuration data in encrypted XML files (config.xml) on the device filesystem. The vulnerability stems from CWE-798 (use of hard-coded credentials), where the encryption key or decryption mechanism relies on static, unchangeable credentials embedded in firmware. An attacker with local network access who can authenticate to the router management interface (HTTP/HTTPS on port 80/443 or telnet/SSH on legacy versions) can access the filesystem or backup/restore function, retrieve the encrypted config.xml, and decrypt it using the hard-coded credential embedded in the affected firmware versions. The vulnerability affects Archer C50 V3 (≤180703), V4 (≤250117), V5 (≤200407), and C20 V5 (US <260419, EU <260317). Root cause is insufficient key management and failure to implement per-device or per-installation encryption keys.

Affected ProductsAI

TP-Link Archer C50 V3 firmware version 180703 and earlier, Archer C50 V4 firmware version 250117 and earlier, Archer C50 V5 firmware version 200407 and earlier, and TP-Link Archer C20 V5 with firmware US_V5 version 260419 or earlier (or EU_V5 version 260317 or earlier). Full product names are TP-Link Archer C50 and TP-Link Archer C20 dual-band Wi-Fi routers.

RemediationAI

Apply vendor-released firmware patches: for Archer C50 V3/V4/V5, update to the latest firmware version released after the vulnerable versions listed above; for Archer C20 V5, update to firmware US_V5_260419 or later, or EU_V5_260317 or later depending on region. Firmware is available from https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware and regional variants. As a compensating control if patches cannot be applied immediately, restrict management interface access to trusted internal IP addresses only (disable WAN access to HTTP/HTTPS management port via firewall rules), change default admin credentials to strong passwords to prevent unauthorized authenticated access, and physically isolate the router from untrusted local network segments. Caution: compensating controls do not eliminate the vulnerability for users already on the local network; they only reduce the attack surface. Monitor configuration backups and restrict access to any exported config.xml files, as these contain encrypted but now-decryptable sensitive data.

CVE-2015-3035 HIGH POC
7.5 Apr 22

Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before

CVE-2013-2578 CRITICAL POC
10.0 Oct 11

cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models be

CVE-2021-41653 CRITICAL POC
9.8 Nov 13

The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to r

CVE-2022-25061 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_set

CVE-2015-3036 CRITICAL POC
10.0 May 21

Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel, as used in c

CVE-2012-5687 HIGH POC
7.8 Nov 01

Directory traversal vulnerability in the web-based management feature on the TP-LINK TL-WR841N router with firmware 3.13

CVE-2022-25060 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_sta

CVE-2025-9377 HIGH
8.6 Aug 29

TP-Link Archer C7 and TL-WR841N routers contain an authenticated remote command execution vulnerability in the Parental

CVE-2024-57049 CRITICAL POC
9.8 Feb 18

A vulnerability in the TP-Link Archer c20 router with firmware version V6.6_230412 and earlier permits unauthorized indi

CVE-2017-13772 HIGH POC
8.8 Oct 23

Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers with hardware version 4 allow remote authenticated

CVE-2022-25064 CRITICAL POC
9.8 Feb 25

TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the functio

CVE-2022-30075 HIGH POC
8.8 Jun 09

In TP-Link Router AX50 firmware 210730 and older, import of a malicious backup file via web interface can lead to remote

Share

CVE-2025-6982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy