Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.
Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.
AnalysisAI
Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.
Technical ContextAI
The affected device is the TP-Link Archer C64 v1.0 consumer Wi-Fi router (CPE cpe:2.3:a:tp-link_systems_inc.:archer_c64_v1.0). The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the router exposes a debug SSH daemon that authenticates against the same credential store as the HTTP management UI, but unlike the web interface - which typically enforces lockouts or back-off after failed logins - the SSH path inherits none of those protections. Because SSH supports rapid automated authentication attempts via tools such as Hydra, Medusa, or scripted libssh clients, the missing rate-limit converts a hardened web login into an exposed brute-force oracle for the same admin password.
RemediationAI
Patch available per vendor advisory: download and install the latest Archer C64 v1 firmware from https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware and consult https://www.tp-link.com/us/support/faq/5105/ for guidance (the exact fixed firmware version string is not provided in the input data and should be confirmed against the vendor page before deployment). Until the firmware is applied, set a long, high-entropy admin password (16+ characters, random) so brute-forcing is computationally impractical, and restrict Wi-Fi access to trusted clients via WPA2/WPA3 with a strong PSK to remove adjacent attackers from the attack surface; on multi-SSID deployments, isolate guest networks from the management VLAN. If the device permits disabling SSH or restricting SSH source IPs through the UI, do so - note that this also blocks any legitimate remote diagnostics. Avoid exposing the router's LAN-side management to untrusted Wi-Fi networks (e.g., open guest SSIDs bridged to LAN).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32929
GHSA-f294-r353-6vv8