CVE-2026-8697 TP-Link Systems Inc. CVE debrief

Who should care

Network administrators managing TP-Link Archer C64 v1 deployments, security teams responsible for edge device protection, and organizations with adjacent untrusted network segments should prioritize assessment and remediation.

Technical summary

The Archer C64 v1 router exposes a debug SSH service that does not implement authentication rate-limiting. This service uses the same credentials as the web administrative interface. The absence of rate-limiting controls allows an unlimited number of authentication attempts, facilitating credential brute-forcing. Successful exploitation requires adjacent network access (AV:A) and yields high impact across confidentiality, integrity, and availability vectors. The vulnerability is rated CVSS 4.0 8.7 (HIGH) with low attack complexity and no required privileges or user interaction.

Defensive priority

HIGH

Recommended defensive actions

• Disable SSH access on the Archer C64 v1 if not required for administrative operations
• Implement network segmentation to restrict adjacent network access to the device management interface
• Monitor for repeated authentication failures on SSH services as potential brute-force indicators
• Apply firmware updates from the vendor when available to address the authentication rate-limiting deficiency
• Consider implementing additional access controls such as IP allowlisting for management interfaces
• Review and rotate administrative credentials if SSH service exposure is suspected

Evidence notes

CVE published 2026-05-28T17:16:33.657Z; modified 2026-05-28T18:38:35.797Z. CVSS 4.0 vector: AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Weakness: CWE-288. Vendor evidence points to TP-Link based on reference domain analysis (confidence: low, needs review).

Official resources