CVE-2026-3294
HIGHAuthentication Logic Vulnerability on Multiple TP-Link Range Extenders
Title source: cnaDescription
An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability.
References (11)
Core 11
Core References
Vendor Advisory vendor-advisory
https://www.tp-link.com/us/support/faq/5101/
Scores
CVSS v3
8.8
EPSS
0.0040
EPSS Percentile
31.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
CWE-862
Status
published
Products (10)
TP Link Systems Inc./Archer RE360 v1
< V1_20260515
tp-link/re305_firmware
< 20260515
tp-link/re360_firmware
< 20260515
tp-link/re580d_firmware
< 20260515
tp-link/re650_firmware
< 20260429
tp-link/tl-wa860re_firmware
< 20260515
TP-Link Systems Inc./Archer RE305 v1
< V1_20260515
TP-Link Systems Inc./Archer RE650 v1
< V1_20260429
TP-Link Systems Inc./RE580D v1
< V1_20260515
TP-Link Systems Inc./TL-WA860RE v4
< V4_20260515
Published
May 22, 2026
Tracked Since
May 23, 2026