VU#554637: TP-Link Archer C50 router is vulnerable to configuration-file decryption

Vista Net, Inc. > Blog > Security > VU#554637: TP-Link Archer C50 router is vulnerable to configuration-file decryption

Overview

The TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.

Description

A vulnerability exists in the TP-Link Archer C50 router’s firmware, where encrypted configuration files are protected using DES in ECB (Electronic Codebook) mode with a hardcoded static key. The embedded DES key is never randomized or derived per device.

CVE-2025-6982
TP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to configuration file decryption.

The encryption lacks randomness and message authentication, allowing for trivial offline decryption of sensitive data.

Impact

Exploitation of this vulnerability may result in:

Exposure of Sensitive Configuration Data

Admin credentials
Wireless network SSIDs and passwords
Static IPs, DHCP settings, and DNS server details

Network Intelligence Gathering

Internal network structure
Connected device roles and topology
Pre-positioning for further attacks

Ease of Exploitation

Works on default firmware configurations
Does not require the router to be actively running
Primary Impact: Full authorized access to router configuration, leading to potential compromise of the connected network.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.
Note: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.

Users are strongly advised to:

Retire and replace the Archer C50 with a supported router model
Avoid using devices with known cryptographic flaws
Secure or delete any exported configuration files
Change passwords if configuration files were exposed or restored from backup

Acknowledgements

Thanks to the reporter Jai Bhortake from CoE – CNDS Lab, VJTI, Mumbai, India. This document was written by Timur Snoke.

Internet

VU#554637: TP-Link Archer C50 router is vulnerable to configuration-file decryption

Overview

Description

Impact

Exposure of Sensitive Configuration Data

Network Intelligence Gathering

Ease of Exploitation

Solution

Users are strongly advised to:

Acknowledgements

Search

Recent Posts

VU#554637: TP-Link Archer C50 router is vulnerable to configuration-file decryption

Overview

Description

Impact

Exposure of Sensitive Configuration Data

Network Intelligence Gathering

Ease of Exploitation

Solution

Users are strongly advised to:

Acknowledgements

Share this:

Search

Recent Posts

Tags

Follow us

Related articles

VU#335798: SysTrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc

VU#746790: SMM callout vulnerabilities identified in Gigabyte UEFI firmware modules

VU#613753: RUCKUS Virtual SmartZone (vSZ) and RUCKUS Network Director (RND) contain multiple vulnerabilities

VU#806555: A Vulnerability in UEFI Applications allows for secure boot bypass via misused NVRAM variable

VU#282450: Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation