CVE-2026-8697

Improper Authentication Rate Limiting on TP-Link's Archer C64

Assigner: TPLink
Reserved: 15.05.2026 Published: 28.05.2026 Updated: 29.05.2026

Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.

Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	TP-Link Systems Inc.
Product	Archer C64 v1.0
Versions	Default: unaffected affected from 0 to 1.15.0 Build 250729 Rel.63489n(4555) (excl.)

Vendor

TP-Link Systems Inc.

Product

Archer C64 v1.0

Versions

Default: unaffected

affected from 0 to 1.15.0 Build 250729 Rel.63489n(4555) (excl.)

Credits

Tanjim Kamal finder

References

Problem Types

CWE-288 Authentication bypass using an alternate path or channel CWE

Impacts

CAPEC-49 Password Brute Forcing