CVE-2026-8697 - Vulnerability Details

- Improper Authentication Rate Limiting on TP-Link's Archer C64

Description

Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.

Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

Published: 2026-05-28

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Archer C64 firmware v1.0 exposes a debug SSH service that does not enforce authentication rate limiting, a flaw described by CWE‑288. Because the SSH server accepts unlimited login attempts and uses the same account credentials as the web interface, an attacker can brute‑force valid administrator credentials. Once authenticated, the attacker gains full control over the router, compromising confidentiality, integrity, and availability of the network managed by the device.

Affected Systems

TP‑Link Archer C64 routers running firmware version 1.0 are affected. The flaw is located in the debug SSH sub‑service bundled with this firmware and allows unauthorized credential discovery on devices that have not applied the fix.

Risk and Exploitability

The CVSS score of 8.7 signals a high severity risk. The EPSS score is not available, so the precise likelihood of exploitation remains uncertain. The vulnerability is not listed in CISA’s KEV catalog. An attacker must reach the router’s local or adjacent network to connect to its SSH port and conduct brute‑force attempts against the shared credentials. Because the authentication loop is unlimited, exploitation is technically straightforward in environments where the router is exposed to untrusted or nearby devices, making the risk of compromise significant if no remediation is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TP-Link Systems Inc.

Archer C64 v1.0

unaffected

Version	Status	Constraints
`0`	affected	< 1.15.0 Build 250729 Rel.63489n(4555)

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update that enforces authentication rate limiting on the SSH service, fixing the CWE‑288 weakness.
If a firmware update is not yet available, block or disable the debug SSH port using the router’s firewall or ACL to eliminate the brute‑force vector.
Restrict local network access to the router by segmenting the network or configuring the router to allow SSH only from trusted IP addresses.

Generated by OpenCVE AI on May 28, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware
https://www.tp-link.com/us/support/faq/5105/

History

Thu, 28 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.
Title		Improper Authentication Rate Limiting on TP-Link's Archer C64
Weaknesses		CWE-288
References		https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware https://www.tp-link.com/us/support/faq/5105/
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: TPLink

Published: 2026-05-28T15:45:20.971Z

Updated: 2026-05-28T19:26:07.424Z

Reserved: 2026-05-15T16:35:09.352Z

Link: CVE-2026-8697

Vulnrichment

Updated: 2026-05-28T19:26:02.748Z

NVD

Status : Awaiting Analysis

Published: 2026-05-28T17:16:33.657

Modified: 2026-05-28T18:38:35.797

Link: CVE-2026-8697

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T19:15:06Z

Weaknesses

CWE-288

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object