CVE-2026-0834

HIGH

TP-Link Archer C20 v5/v6, AX53 v1, TL-WR841N v13 - Unauthenticated RCE via TDDP

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-0834. PoCs published by mattgsys.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-0834, which bypasses authentication in TP-Link's TDDP service by sending crafted packets with a pktLength of 0 to skip DES decryption and execute administrative commands like factory reset and reboot.

Description

Logic vulnerability in TP-Link Archer C20 v5, 6.0, Archer AX53 v1.0 and TL-WR841N v13 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031, Archer C20 v5 <EU_V5_260317 or < US_V5_260419 Archer AX53 v1.0 < V1_251215 TL-WR841N v13 < 0.9.1 Build 20231120 Rel.62366

Exploits (1)

nomisec WORKING POC

by mattgsys · poc

https://github.com/mattgsys/CVE-2026-0834

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-0834, which bypasses authentication in TP-Link's TDDP service by sending crafted packets with a pktLength of 0 to skip DES decryption and execute administrative commands like factory reset and reboot.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TP-Link Archer C20 V6 (firmware 0.9.1 Build 4.19/4.20)

No auth needed

Prerequisites: Local network access to the target device · TDDP service enabled on the target device

MITRE ATT&CK

T1110 - Brute Force T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7

Core References

Product patch

https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware

Product patch

https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware

Patch patch

https://www.tp-link.com/en/support/download/archer-c20/v5/#Firmware

Vendor Advisory vendor-advisory

https://www.tp-link.com/us/support/faq/4905/

Patch patch

https://www.tp-link.com/us/support/download/archer-c20/v5/#Firmware

Patch patch

https://www.tp-link.com/us/support/download/tl-wr841n/v13/#Firmware

Permissions Required

https://mattg.systems/posts/cve-2026-0834/

Scores

CVSS v3 8.8

EPSS 0.0040

EPSS Percentile 31.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-290

Status published

Products (7)

TP Link Systems Inc./TL-WR841N v13 < 0.9.1 Build 20231120 Rel.62366

tp-link/archer_ax53_firmware 1.0

tp-link/archer_c20_firmware 6.0

TP-Link Systems Inc./Archer C20 V5 < EU_V5_260317

TP-Link Systems Inc./Archer C20 V5 < US_V5_260419

TP-Link Systems Inc./Archer C20 v6.0, Archer AX53 v1.0 < V1_251215

TP-Link Systems Inc./Archer C20 v6.0, Archer AX53 v1.0 < V6_251031

Published Jan 21, 2026

Tracked Since Feb 18, 2026