{"vuid":"VU#554637","idnumber":"554637","name":"TP-Link Archer C50 router is vulnerable to configuration-file decryption","keywords":null,"overview":"### Overview\r\nThe TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.\r\n\r\n### Description\r\nA vulnerability exists in the TP-Link Archer C50 router’s firmware, where encrypted configuration files are protected using DES in ECB (Electronic Codebook) mode with a hardcoded static key. The embedded DES key is never randomized or derived per device.\r\n\r\n**CVE-2025-6982**\r\nTP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to configuration file decryption.\r\n\r\nThe encryption lacks randomness and message authentication, allowing for trivial offline decryption of sensitive data.\r\n\r\n### Impact\r\nExploitation of this vulnerability may result in:\r\n#### Exposure of Sensitive Configuration Data\r\n* Admin credentials\r\n* Wireless network SSIDs and passwords\r\n* Static IPs, DHCP settings, and DNS server details\r\n#### Network Intelligence Gathering\r\n*\tInternal network structure\r\n*\tConnected device roles and topology\r\n*\tPre-positioning for further attacks\r\n#### Ease of Exploitation\r\n*\tWorks on default firmware configurations\r\n*\tDoes not require the router to be actively running\r\nPrimary Impact: Full authorized access to router configuration, leading to potential compromise of the connected network.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solution to this problem.\r\nNote: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.\r\n#### Users are strongly advised to:\r\n* Retire and replace the Archer C50 with a supported router model\r\n*\tAvoid using devices with known cryptographic flaws\r\n*\tSecure or delete any exported configuration files\r\n*\tChange passwords if configuration files were exposed or restored from backup\r\n\r\n### Acknowledgements\r\nThanks to the researchers Sushant Mane, Jai Bhortake, and Dr. Faruk Kazi from CoE - CNDS Lab, VJTI, Mumbai, India. This document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["https://www.cve.org/CVERecord?id=CVE-2025-6982","https://www.tp-link.com/us/support/faq/4538/"],"cveids":["CVE-2025-6982"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2025-07-29T17:43:01.693068Z","publicdate":"2025-07-29T17:43:01.487138Z","datefirstpublished":"2025-07-29T17:43:01.705244Z","dateupdated":"2025-08-04T15:49:20.310403Z","revision":2,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":130}