A newly disclosed vulnerability in TP-Link's end-of-life Archer C50 routers exposes sensitive configuration data through a weak, hardcoded encryption key.
The flaw, tracked as CVE-2025-6982, allows attackers with device access to trivially decrypt router settings, including admin credentials and Wi-Fi passwords.
The issue was reported by security researcher Jai Bhortake and highlighted yesterday in a bulletin by the CERT Coordination Center (CERT/CC). The vulnerability affects Archer C50 hardware revisions V3 through V5, specifically firmware versions ≤180703, ≤250117, and ≤200407, respectively.
At the heart of the flaw is the router's use of DES encryption in ECB (Electronic Codebook) mode, with a static, hardcoded key embedded in firmware. This cryptographic setup lacks both randomness and authentication, meaning that anyone with a configuration file (config.xml) can decrypt its contents offline without difficulty. The decryption process does not vary by device, making the vulnerability broadly exploitable across all affected units.
TP-Link's Archer C50 series is a low-cost, widely deployed line of dual-band wireless routers aimed at consumers and small office environments. First released in the mid-2010s, the series is now officially end-of-life (EOL), meaning it no longer receives firmware updates or security support from the vendor. Despite this, many units remain active in home and budget network setups due to their affordability and stable performance.
The decrypted configuration files can expose:
- Admin interface credentials
- Wi-Fi SSIDs and passwords
- Static IP, DHCP, and DNS settings
- Details about connected devices and internal topology
While exploitation requires access to the router's configuration file, typically accessible only after authentication or by extracting backups, weak or reused credentials could make such access trivial in poorly secured environments. Once decrypted, the information could be used for network mapping, further pivoting, or pre-positioning for deeper compromise of internal systems.
This disclosure comes on the heels of another TP-Link advisory earlier in July concerning two other legacy models, namely TL-WR940N V4 and TL-WR841N V11, which were found vulnerable to a high-severity buffer overflow with no available patch due to their EOL status. That vulnerability (CVE-2025-6151), discovered by researcher WhereisDoujo, highlighted TP-Link's growing portfolio of unsupported yet still-active consumer-grade routers with unresolved security issues.
TP-Link has acknowledged CVE-2025-6982 with a CVSS v4.0 base score of 6.9 (Medium), but reaffirms that no fix will be issued for the Archer C50 due to its EOL designation. Users are instead encouraged to upgrade to newer, supported router models. For environments where the Archer C50 must remain in use temporarily, disable remote management, segment the network, and use strong, unique passwords.
Is https://youtube.com/@cyberinsiderhq the actual YouTube channel from Cyber Insider? I can’t find anything that directly links the website to the YouTube channel.
Yep, that’s our channel.