Skip to main content

TP-Link Archer C64 EUVDEUVD-2026-32929

| CVE-2026-8697 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-28 TPLink GHSA-f294-r353-6vv8
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 17:23 vuln.today
CVSS changed
May 28, 2026 - 17:22 NVD
8.7 (HIGH)

DescriptionCVE.org

Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.

Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

AnalysisAI

Credential brute-forcing against TP-Link Archer C64 v1 routers is possible via an undocumented debug SSH service that shares credentials with the web admin interface but enforces no authentication rate-limiting. Adjacent attackers (same Wi-Fi or LAN segment) can iterate password guesses without lockout to recover the administrator password and take full control of the router. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (High) and a vendor patch is available.

Technical ContextAI

The affected device is the TP-Link Archer C64 v1.0 consumer Wi-Fi router (CPE cpe:2.3:a:tp-link_systems_inc.:archer_c64_v1.0). The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel): the router exposes a debug SSH daemon that authenticates against the same credential store as the HTTP management UI, but unlike the web interface - which typically enforces lockouts or back-off after failed logins - the SSH path inherits none of those protections. Because SSH supports rapid automated authentication attempts via tools such as Hydra, Medusa, or scripted libssh clients, the missing rate-limit converts a hardened web login into an exposed brute-force oracle for the same admin password.

RemediationAI

Patch available per vendor advisory: download and install the latest Archer C64 v1 firmware from https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware and consult https://www.tp-link.com/us/support/faq/5105/ for guidance (the exact fixed firmware version string is not provided in the input data and should be confirmed against the vendor page before deployment). Until the firmware is applied, set a long, high-entropy admin password (16+ characters, random) so brute-forcing is computationally impractical, and restrict Wi-Fi access to trusted clients via WPA2/WPA3 with a strong PSK to remove adjacent attackers from the attack surface; on multi-SSID deployments, isolate guest networks from the management VLAN. If the device permits disabling SSH or restricting SSH source IPs through the UI, do so - note that this also blocks any legitimate remote diagnostics. Avoid exposing the router's LAN-side management to untrusted Wi-Fi networks (e.g., open guest SSIDs bridged to LAN).

Share

EUVD-2026-32929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy