Skip to main content

TP-Link Deco M5 CVE-2026-5040

| EUVDEUVD-2026-44362 HIGH
Use of Password Hash With Insufficient Computational Effort (CWE-916)
2026-07-14 TPLink GHSA-6vqq-hcvj-cx94
7.1
CVSS 4.0 · Vendor: TPLink
Share

Severity by source

Vendor (TPLink) PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.1 MEDIUM

Attacker needs local, high-privilege access to obtain the hash (AV:L/PR:H), offline cracking adds effort (AC:H), and impact is confidentiality-only per the description (C:H, I:N, A:N).

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TPLink).

CVSS VectorVendor: TPLink

CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 23:20 EUVD
Analysis Generated
Jul 14, 2026 - 20:08 vuln.today
CVE Published
Jul 14, 2026 - 18:00 cve.org
HIGH 7.1

DescriptionCVE.org

TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.

Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.

AnalysisAI

Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise device or gain privileged access
Delivery
Extract stored credential hash
Exploit
Crack weak hash offline (dictionary/brute-force)
Execution
Recover plaintext admin password
Persist
Authenticate to device management
Impact
Access management functions per recovered privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess the stored password hash, which per the description is only obtainable 'through system compromise or privileged access' to the Deco M5 v1 - consistent with the CVSS AV:L and PR:H metrics. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a meaningful but conditional weakness, not a top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already gained privileged or local access to a Deco M5 v1 unit - for example via a separate firmware flaw, a stolen configuration backup, or physical/administrative access - extracts the stored credential hash from the device. Because the hash uses a weak, fast algorithm, the attacker cracks it offline with a wordlist or GPU brute-force and recovers the plaintext admin password, then reuses it to log into the device management interface and any accounts that share the password. …
Remediation Patch available per vendor advisory: apply the latest Deco M5 v1 firmware from TP-Link's download portal (https://www.tp-link.com/us/support/download/deco-m5/v1/#Firmware or the EN mirror), noting that the provided data does not confirm an exact first-fixed firmware version - verify the fixed build directly with TP-Link before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Deco M5 v1 devices and restrict both local and remote access to affected units through physical security and firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy