Skip to main content

Deco M5 Deco M5 V1

1 CVEs product

Monthly

CVE-2026-5040 HIGH PATCH This Week

Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 vector (AV:L/AC:H/PR:H) reflects that it is a post-compromise credential-recovery weakness rather than a remote entry point.

TP-Link Authentication Bypass Deco M5 Deco M5 V1
NVD
CVSS 4.0
7.1
EPSS
0.1%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 vector (AV:L/AC:H/PR:H) reflects that it is a post-compromise credential-recovery weakness rather than a remote entry point.

TP-Link Authentication Bypass Deco M5 Deco M5 V1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy