Cyber Resilience

CVE-2026-5039

Medium

Published: 23 April 2026

Published
23 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 2.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5039 is a medium-severity Use of Default Cryptographic Key (CWE-1394) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable if device is left in default configuration. A network-adjacent attacker can exploit this weakness to…

more

gain unauthorized access to the protocol, read debug data, modify certain device configuration values, and trigger device reboot, resulting in loss of integrity and a denial-of-service condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vuln in debug protocol (weak crypto from defaults) directly enables remote exploitation of the service for config changes/DoS on the device.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

tp-link
tl-wr841n firmware
≤ 231120

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References