CVE-2026-5363
published 2026-04-16CVE-2026-5363: Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface…
PriorityP352high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
EPSS
0.09%
0.6th percentile
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.
An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_c7_firmware | < 1.2.1 | 1.2.1 |
| tp-link_systems_inc | archer_c7_v5_and_v5.8 | <= Build 20220715 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.4MEDIUMCVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r35r-mrc6-xgfp: Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5
ghsa_unreviewed·2026-04-16
CVE-2026-5363 [MEDIUM] CWE-326 GHSA-r35r-mrc6-xgfp: Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.
An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715.
VulDB
TP-Link Archer C7 5/5.8 Web Interface inadequate encryption
vuldb·2026-04-16·CVSS 5.4
CVE-2026-5363 [MEDIUM] TP-Link Archer C7 5/5.8 Web Interface inadequate encryption
A vulnerability categorized as problematic has been discovered in TP-Link Archer C7 5/5.8. This issue affects some unknown processing of the component Web Interface. The manipulation results in inadequate encryption strength. This vulnerability only affects products that are no longer supported by the maintainer.
This vulnerability is cataloged as CVE-2026-5363. The attack may be launched remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published