CVE-2026-0834
Published: 21 January 2026
Summary
CVE-2026-0834 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tp-Link Archer Ax53 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the logic vulnerability in the TDDP module by requiring timely application of vendor-patched firmware versions to block unauthenticated administrative command execution.
Restricts specific actions performable without identification or authentication, preventing exploitation of the TDDP flaw that allows admin commands like factory resets without credentials.
Enforces approved authorizations for access to administrative functions, mitigating the unauthenticated adjacent network access enabled by the TDDP logic vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw enables unauthenticated remote admin command execution (incl. DoS actions) on exposed router services, directly mapping to exploitation of public-facing applications.
NVD Description
Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger…
more
factory resets and reboots without credentials, causing configuration loss and interruption of device availability.This issue affects Archer C20 v6.0 < V6_251031, Archer C20 v5 <EU_V5_260317 or < US_V5_260419 Archer AX53 v1.0 < V1_251215 TL-WR841N v13 < 0.9.1 Build 20231120 Rel.62366
Deeper analysisAI
CVE-2026-0834 is a logic vulnerability (CWE-290) in the TDDP module of several TP-Link router models, including Archer C20 v5 (versions prior to EU_V5_260317 or US_V5_260419), Archer C20 v6.0 (versions prior to V6_251031), Archer AX53 v1.0 (versions prior to V1_251215), and TL-WR841N v13 (versions prior to 0.9.1 Build 20231120 Rel.62366). The flaw enables unauthenticated attackers to execute administrative commands on affected devices. It has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts.
Unauthenticated attackers on the adjacent network can exploit this vulnerability remotely without credentials by leveraging the TDDP module. Successful exploitation allows execution of administrative commands, such as triggering factory resets or device reboots, resulting in configuration loss and denial-of-service through interrupted device availability.
Mitigation requires updating to patched firmware versions: Archer C20 v6.0 to V6_251031 or later, Archer C20 v5 to EU_V5_260317 (EU) or US_V5_260419 (US) or later, Archer AX53 v1.0 to V1_251215 or later, and TL-WR841N v13 to 0.9.1 Build 20231120 Rel.62366 or later. TP-Link provides these updates via model-specific download pages, with additional details in the originating advisory at https://mattg.systems/posts/cve-2026-0834/.
Details
- CWE(s)