CVE-2026-5363

Use of weak cryptographic key in TP-Link Archer C7

Assigner: TPLink
Reserved: 01.04.2026 Published: 15.04.2026 Updated: 16.04.2026

Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	TP-Link Systems Inc.
Product	Archer C7 v5 and v5.8
Versions	Default: unaffected affected from 0 to Build 20220715 (incl.)

Vendor

TP-Link Systems Inc.

Product

Archer C7 v5 and v5.8

Versions

Default: unaffected

affected from 0 to Build 20220715 (incl.)

References

Problem Types

CWE-326: Inadequate Encryption Strength CWE

Impacts