CVE-2025-13399
HIGHTP-Link VX800v Firmware < 800.0.11 - Unauthenticated Weak AES Key Brute Force in Web Interface
Title source: llmDescription
A weakness in the web interface’s application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data.
References (2)
Core 2
Core References
Various Sources patch
https://www.tp-link.com/de/support/download/vx800v/#Firmware
Various Sources vendor-advisory
https://www.tp-link.com/us/support/faq/4930/
Scores
CVSS v3
8.8
EPSS
0.0015
EPSS Percentile
4.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-331
Status
published
Products (1)
tp-link/vx800v_firmware
< 800.0.11
Published
Jan 29, 2026
Tracked Since
Feb 18, 2026