CVE-2026-3294

Summary

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation.

Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.

Affected Software

VendorProductVersion RangeStatus
TP-Link Systems Inc.Archer RE650 v10 < V1_20260429affected
TP-Link Systems Inc.Archer RE305 v10 < V1_20260515affected
TP Link Systems Inc.Archer RE360 v10 < V1_20260515affected
TP-Link Systems Inc.TL-WA860RE v40 < V4_20260515affected
TP-Link Systems Inc.RE580D v10 < V1_20260515affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References