CVE-2026-5363
8.8 HIGHInadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation
Published: 2026-04-16 · Last updated: 2026-05-06
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-326
Affected products
| Vendor | Product |
|---|---|
| tp-link | archer_c7_firmware |
Description
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-1871 — TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorizat... (6.5 MEDIUM)
- CVE-2026-34127 — A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch d... (4.8 MEDIUM)
- CVE-2026-34126 — TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication du... (7.5 HIGH)
- CVE-2026-8697 — Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited aut... (8.8 HIGH)
- CVE-2026-5509 — An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execu... (7.2 HIGH)
Same CWE
- CVE-2026-41860 — CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM (8.8 HIGH)
- CVE-2026-8878 — Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensiti... (7.5 HIGH)
- CVE-2026-45787 — electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client (9.1 CRITICAL)
- CVE-2024-28755 — An issue was discovered in Mbed TLS 3.5.x before 3.6.0 (6.5 MEDIUM)
- CVE-2020-7565 — A CWE-326: Inadequate Encryption Strength vulnerability exists in Modicon M221 (all references, all versions) that could allow the attack... (7.3 HIGH)