HarborGuard / CVE
Back to search
HIGHCVE-2026-8697Published Modified CNA TPLink

CVE-2026-8697: Improper Authentication Rate Limiting on TP-Link's Archer C64

Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Improper authentication rate-limiting in the debug SSH service of the TP-Link Archer C64 v1 router allows an attacker on the same network segment to brute-force administrative credentials without restriction. The SSH service exposes no lockout or throttling mechanism and shares credentials with the web management interface, so exhausting the credential space is purely a matter of time and compute. Successful exploitation gives an attacker full administrative control over the device, affecting confidentiality, integrity, and availability. A patched-image rebuild at version 1.15.0 Build 250729 Rel.63489n(4555) is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8697 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected base layers.

Available
Triage

Triage is available with a CVSS v4.0 score of 8.7 (HIGH), weighted against each customer organization's per-environment compliance policy to surface the finding to the appropriate team or inbox within the org.

Available
Patch

A patched-image rebuild at version 1.15.0 Build 250729 Rel.63489n(4555) becomes available in HarborGuard as soon as the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network such as the same LAN, Wi-Fi segment, or VPN; the device is not directly reachable from the open internet.

  • AuthenticationNot required

    No credentials are needed to begin brute-forcing; the SSH service accepts unlimited unauthenticated login attempts with no lockout.

  • Victim interactionNot required

    The attack is carried out entirely by the attacker against the SSH service; no user action or social engineering is involved.

  • Attack complexityDetail

    The exploit is straightforward and condition-free: there are no race conditions, memory-layout dependencies, or environmental prerequisites beyond network adjacency.

Blast Radius

  • Attacker recovers plaintext or crackable administrative credentials shared across SSH and the web management interface.
  • Attacker gains full administrative access to the router, reading all device configuration including stored Wi-Fi passphrases, VPN keys, and connected-client data.
  • Attacker modifies routing rules, DNS settings, firewall policies, or firmware to redirect or intercept traffic for all devices on the network.
  • Attacker crashes or reboots the device at will, disrupting network connectivity for every client depending on the router.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-8697 is active across scanning pipelines the moment the advisory is ingested, covering any image that includes an affected version of the Archer C64 firmware layer. For environments where a patched base image is available (version 1.15.0 Build 250729 Rel.63489n(4555)), HarborGuard can make a rebuilt image available immediately. Where compliance policy permits auto-remediation, the rebuild is followed by an automated regression run and a pull request opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. For environments where auto-remediation is not enabled, the finding is routed to the team inbox defined in the org's compliance policy so remediation can be prioritized manually. In the interim, compensating controls such as network-policy isolation of the management interface, egress filtering to limit SSH exposure, and VLAN segmentation of the device are worth considering to reduce the adjacent-network attack surface.

See how HarborGuard automates this

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
1.15.0 Build 250729 Rel.63489n(4555)
Affected Products
1

Fix available

1.15.0 Build 250729 Rel.63489n(4555)
Patch commits
Affected packages
  • TP-Link Systems Inc. / Archer C64 v1.0
    < 1.15.0 Build 250729 Rel.63489n(4555) (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References