{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/554637#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.\r\n\r\n### Description\r\nA vulnerability exists in the TP-Link Archer C50 router’s firmware, where encrypted configuration files are protected using DES in ECB (Electronic Codebook) mode with a hardcoded static key. The embedded DES key is never randomized or derived per device.\r\n\r\n**CVE-2025-6982**\r\nTP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to configuration file decryption.\r\n\r\nThe encryption lacks randomness and message authentication, allowing for trivial offline decryption of sensitive data.\r\n\r\n### Impact\r\nExploitation of this vulnerability may result in:\r\n#### Exposure of Sensitive Configuration Data\r\n* Admin credentials\r\n* Wireless network SSIDs and passwords\r\n* Static IPs, DHCP settings, and DNS server details\r\n#### Network Intelligence Gathering\r\n*\tInternal network structure\r\n*\tConnected device roles and topology\r\n*\tPre-positioning for further attacks\r\n#### Ease of Exploitation\r\n*\tWorks on default firmware configurations\r\n*\tDoes not require the router to be actively running\r\nPrimary Impact: Full authorized access to router configuration, leading to potential compromise of the connected network.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solution to this problem.\r\nNote: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.\r\n#### Users are strongly advised to:\r\n* Retire and replace the Archer C50 with a supported router model\r\n*\tAvoid using devices with known cryptographic flaws\r\n*\tSecure or delete any exported configuration files\r\n*\tChange passwords if configuration files were exposed or restored from backup\r\n\r\n### Acknowledgements\r\nThanks to the researchers Sushant Mane, Jai Bhortake, and Dr. Faruk Kazi from CoE - CNDS Lab, VJTI, Mumbai, India. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/554637"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-6982","summary":"https://www.cve.org/CVERecord?id=CVE-2025-6982"},{"url":"https://www.tp-link.com/us/support/faq/4538/","summary":"https://www.tp-link.com/us/support/faq/4538/"}],"title":"TP-Link Archer C50 router is vulnerable to configuration-file decryption","tracking":{"current_release_date":"2025-08-04T15:49:20+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#554637","initial_release_date":"2025-07-29 17:43:01.487138+00:00","revision_history":[{"date":"2025-08-04T15:49:20+00:00","number":"1.20250804154920.2","summary":"Released on 2025-08-04T15:49:20+00:00"}],"status":"final","version":"1.20250804154920.2"}},"vulnerabilities":[{"title":"TP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to unauthorized configuration-file decryption.","notes":[{"category":"summary","text":"TP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to unauthorized configuration-file decryption."}],"cve":"CVE-2025-6982","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#554637"}],"product_status":{"known_affected":["CSAFPID-b28a9e20-3595-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"TP-LINK","product":{"name":"TP-LINK Products","product_id":"CSAFPID-b28a9e20-3595-11f1-8422-122e2785dc9f"}}]}}