RESOLVED – PATCHED
TP-Link has replaced vulnerable firmware files on the Download Center with patched versions for the following models (non-exhaustive): | Model | Previous Vulnerable Version | Patched Version | Release Date | |-------|----------------------------|----------------|----------------| | Archer AX6000 | 1.0.6 Build 20220901 | 1.0.8 Build 20231120 | 2024-01-15 | | Deco X60 | 1.2.1 Build 20220810 | 1.2.3 Build 20231005 | 2023-12-01 | | Tapo C200 | 1.0.14 | 1.0.18 | 2024-02-10 | tplink download center patched
—have been identified across popular TP-Link product lines, including Archer routers, Tapo cameras, and Omada controllers. Security agencies, including the FBI and CISA | | Storage | Store file hashes in
| Layer | Fix | |-------|-----| | | Enforce TLS 1.3, remove mixed content, add Certificate Transparency logging. | | Application | Sanitize model/hw version parameters, prevent path traversal, implement session-based download tokens. | | Storage | Store file hashes in database, verify on each download, serve via immutable URLs. | | Integrity | Provide signed checksums alongside firmware, allow client-side verification via GPG or TP-Link’s own signature tool. | | Monitoring | Log all downloads, alert on hash mismatches, deploy WAF rules for known exploit patterns. | | If left unpatched, a remote attacker could
If left unpatched, a remote attacker could exploit these bugs by sending maliciously crafted network packets to the device. This action allows the attacker to execute arbitrary commands at the system level. The consequences of an unpatched device include:
Network routers are prime targets for threat actors and automated botnets. A single unpatched vulnerability can expose an entire network to data theft, man-in-the-middle attacks, and unauthorized access. Common Vulnerabilities Addressed in Patches
Select your exact from the drop-down menu on the webpage. Click on the Firmware tab.