CVE-2026-8697 HIGH

CVE-2026-8697: Improper Authentication Rate Limiting on TP-Link's Archer C64

Vendor Tp-Link Systems Inc.
Product Archer C64 v1.0
Weakness CWE-288
Published May 28, 2026
Last update May 29, 2026

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 29, 2026 Record updated

Related vulnerabilities

04Related CVE