CVE-2026-8697: TP-Link Archer C64 Unauthenticated Brute-Force SSH Vulnerability
A vulnerability in TP-Link Archer C64 v1 routers allows attackers on the local network to repeatedly guess administrative passwords without restriction. The device runs a debug SSH service that shares login credentials with the web interface but fails to limit failed authentication attempts. An attacker who gains valid credentials through brute force can take complete control of the router, potentially redirecting traffic, stealing data, or disrupting network connectivity.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-288, CWE-306
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8697 stems from disabled rate-limiting on an SSH debug service in Archer C64 v1 firmware. The vulnerability combines two weaknesses: missing brute-force protections (CWE-288) and absence of proper authentication enforcement (CWE-306). Since SSH credentials are identical to web interface credentials, an attacker with adjacent network access can systematically attempt password combinations without triggering account lockouts or delays. Successful authentication grants full administrative privileges via SSH, circumventing web-based access controls.
Business impact
Compromised Archer C64 routers represent a critical entry point for network attacks. Attackers can monitor all traffic traversing the device, modify DNS settings to intercept communications, inject malware, or create persistent backdoors for lateral movement into connected systems. For organizations using these devices in branch offices, retail locations, or as edge network infrastructure, this vulnerability could enable data exfiltration, service disruption, and compliance violations. The ease of exploitation and proximity requirement (adjacent network) make this a particularly severe risk in shared environments such as offices, hotels, or public venues where WiFi is offered.
Affected systems
TP-Link Archer C64 devices running firmware version 1 are affected. The vulnerability is specific to v1; verify whether your deployment includes affected versions by checking device firmware revision in the web administration panel (typically System Tools > Firmware Upgrade) or via SSH banner information. Organizations should inventory all Archer C64 devices and cross-reference firmware versions against TP-Link's official support documentation.
Exploitability
Exploitation is straightforward and requires only adjacent network access—typically achieved by connecting to the device's WiFi network or plugging into an Ethernet port on the LAN side. No network traversal, authentication, or user interaction is necessary. An attacker can use standard SSH clients and dictionary or brute-force tools to systematically test credentials without triggering rate limits or alerts. The low complexity and minimal prerequisites make this vulnerability highly exploitable in practice, though it does not appear on CISA's Known Exploited Vulnerabilities catalog as of the advisory publication date.
Remediation
TP-Link has not yet released a patch for this vulnerability as of the advisory date (June 2026). Organizations must implement compensating controls immediately: restrict SSH access to the Archer C64 by disabling SSH on the device if not required (check Administration > SSH settings), physically isolate devices to trusted network segments only, implement network-based authentication or VPN access for administrative functions, and monitor for unusual SSH connection attempts. Do not rely on the web interface alone for security—apply all available controls at the network and device level.
Patch guidance
No vendor patch has been released as of the advisory modification date (2026-06-17). Monitor TP-Link's official support pages and security advisories for firmware updates addressing this issue. When a patch is released, apply it immediately to all affected Archer C64 v1 devices via System Tools > Firmware Upgrade in the web interface. Verify the updated firmware version post-deployment. Until a patch is available, apply the compensating controls listed in the remediation section.
Detection guidance
Monitor network logs for repeated failed or successful SSH login attempts to Archer C64 devices, especially from non-administrative IP addresses or unusual times. Enable SSH logging on the device if available (verify in Administration settings) and review access logs regularly. Network-based detection can flag rapid sequential SSH connection attempts to the device's IP address on port 22. Endpoint detection tools should flag any new or unauthorized administrative access. Baseline normal SSH activity first to distinguish reconnaissance from legitimate administration.
Why prioritize this
This vulnerability scores 8.8 (HIGH) under CVSS 3.1 due to high-impact confidentiality, integrity, and availability consequences, combined with low attack complexity and no privilege or user interaction requirements. Although adjacent network access is required, this is easily achieved in typical deployments. The absence of a published patch and the practical ease of exploitation make this a top-priority remediation target. Organizations should treat this as urgent if Archer C64 v1 devices are present in security-sensitive or production network segments.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects the attack vector (adjacent network), attack complexity (low), privileges required (none), user interaction (none), and impact across confidentiality, integrity, and availability (all high). The score does not consider exploitability in the wild or patch availability; however, the lack of a current patch and straightforward exploitation method elevate real-world risk above the base score. Organizations should apply additional context weighting based on device placement and network sensitivity.
Frequently asked questions
Do I need to physically touch the device to exploit this vulnerability?
No. An attacker needs only to be on the same network segment as the Archer C64 (e.g., connected to its WiFi or a wired LAN port). They can then attempt SSH connections remotely from their connected system.
Does this vulnerability require me to already know the administrator password?
No. The vulnerability allows unlimited password guessing attempts. An attacker can methodically test common passwords, leaked credentials, or dictionary words until one succeeds. Rate-limiting would normally prevent this; its absence is the core defect.
If I disable SSH on the device, am I protected?
Yes, disabling SSH eliminates this particular attack path. However, verify that SSH is not required for your network management procedures. The vulnerability also highlights that the device lacks proper authentication controls; other access methods should be similarly reviewed and hardened.
What if I've already changed the default administrator password?
Changing the password increases resistance to default-credential attacks but does not prevent brute-force guessing. The lack of rate-limiting means a weak or previously compromised password can still be discovered through systematic attempts. Pair password changes with network isolation and monitoring until a patch is available.
This analysis is based on the vulnerability advisory published on 2026-05-28 and updated 2026-06-17. No patches have been released as of the advisory modification date; verify patch availability directly with TP-Link before implementing security measures. This summary does not constitute security advice specific to your organization; consult your security team and TP-Link documentation for guidance tailored to your deployment. SEC.co assumes no liability for damages resulting from incomplete or delayed patching. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-24088HIGHQualcomm Bootloader Cryptographic Verification Flaw (CVSS 8.2)
- CVE-2026-24090HIGHQualcomm Partition Table Cryptographic Flaw Enables Boot Modification
- CVE-2026-36603HIGHMercusys AC12G Unauthenticated UPnP Port Forwarding Vulnerability
- CVE-2026-40780HIGHBookIt Authentication Bypass via Password Recovery
- CVE-2026-42654HIGHWP Swings Wallet System Authentication Bypass Allows Account Takeover