CVE-2026-5039 PUBLISHED

Predictable Default Cryptographic Key Used for DES Encryption in TP-Link TL-WL841N

Assigner: TPLink
Reserved: 27.03.2026 Published: 23.04.2026 Updated: 23.04.2026

TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 6.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	TP-Link Systems Inc.
Product	TL-WL841N v13
Versions	Default: unaffected affected from 0 to 0.9.1 Build 20231120 Rel.62366 (excl.)

References

https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware

Problem Types

CWE-1394 Use of default cryptographic key CWE

Impacts

CAPEC-70 Try Common or Default Usernames and Passwords