TP-Link Archer C50/C20 CVE-2025-6982
MEDIUMCVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
Use of Hard-coded Credentials in TP-Link Archer C50 V3(
<=
180703)/V4(
<=
250117
)/V5(
<=
200407
), and C20 V5 (<US_V5_260419 or <EU_V5_260317) allows attackers to decrypt the config.xml files.
AnalysisAI
Hard-coded credentials embedded in TP-Link Archer C50 (V3 through V5) and C20 V5 firmware enable attackers with local network access and limited privileges to decrypt configuration files (config.xml), potentially exposing sensitive network settings, credentials, and device state. CVSS 6.9 reflects high confidentiality impact despite local-only attack vector. EPSS score of 0.03% (10th percentile) suggests low real-world exploitation probability, contradicting the publicly disclosed vulnerability mechanics.
Technical ContextAI
TP-Link Archer routers store configuration data in encrypted XML files (config.xml) on the device filesystem. The vulnerability stems from CWE-798 (use of hard-coded credentials), where the encryption key or decryption mechanism relies on static, unchangeable credentials embedded in firmware. An attacker with local network access who can authenticate to the router management interface (HTTP/HTTPS on port 80/443 or telnet/SSH on legacy versions) can access the filesystem or backup/restore function, retrieve the encrypted config.xml, and decrypt it using the hard-coded credential embedded in the affected firmware versions. The vulnerability affects Archer C50 V3 (≤180703), V4 (≤250117), V5 (≤200407), and C20 V5 (US <260419, EU <260317). Root cause is insufficient key management and failure to implement per-device or per-installation encryption keys.
Affected ProductsAI
TP-Link Archer C50 V3 firmware version 180703 and earlier, Archer C50 V4 firmware version 250117 and earlier, Archer C50 V5 firmware version 200407 and earlier, and TP-Link Archer C20 V5 with firmware US_V5 version 260419 or earlier (or EU_V5 version 260317 or earlier). Full product names are TP-Link Archer C50 and TP-Link Archer C20 dual-band Wi-Fi routers.
RemediationAI
Apply vendor-released firmware patches: for Archer C50 V3/V4/V5, update to the latest firmware version released after the vulnerable versions listed above; for Archer C20 V5, update to firmware US_V5_260419 or later, or EU_V5_260317 or later depending on region. Firmware is available from https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware and regional variants. As a compensating control if patches cannot be applied immediately, restrict management interface access to trusted internal IP addresses only (disable WAN access to HTTP/HTTPS management port via firewall rules), change default admin credentials to strong passwords to prevent unauthorized authenticated access, and physically isolate the router from untrusted local network segments. Caution: compensating controls do not eliminate the vulnerability for users already on the local network; they only reduce the attack surface. Monitor configuration backups and restrict access to any exported config.xml files, as these contain encrypted but now-decryptable sensitive data.
More from same product – last 7 days
An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjac
Cleartext Bluetooth transmission in TP-Link Tapo L535E, P300, and D100C devices allows adjacent attackers to intercept a
Share
External POC / Exploit Code
Leaving vuln.today