CVE-2026-5363
Published: 16 April 2026
Summary
CVE-2026-5363 is a medium-severity Inadequate Encryption Strength (CWE-326) vulnerability in Tp-Link Archer C7. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23137
Vulnerability details
Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login. An adjacent attacker with the…
more
ability to intercept network traffic could potentially perform a brute-force or factorization attack against the 1024-bit RSA key to recover the plaintext administrator password, leading to unauthorized access and compromise of the device configuration. This issue affects Archer C7: through Build 20220715.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak RSA-1024 client-side encryption directly enables offline factorization/brute-force key recovery (T1110.002) on intercepted login traffic, exposing plaintext credentials (T1552).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength.
Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers.
Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm.
Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.
Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security.