VYPR
← All advisories
High severityNVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-8697

CVE-2026-8697

Description

Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH.

Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TP-Link Archer C64 v1 debug SSH service lacks authentication rate limiting, allowing brute-force of credentials to gain full admin access.

Vulnerability

The debug SSH service on TP-Link Archer C64 v1 (all firmware versions prior to 1.15.0 Build 250729 Rel.63489n(4555)) does not enforce authentication rate limiting and uses the same credentials as the web interface. This allows unlimited authentication attempts via SSH. [2]

Exploitation

An attacker with adjacent network access can brute-force valid administrative credentials by connecting to the debug SSH service on the device. No authentication or user interaction is required; the attacker can repeatedly attempt login using common or targeted username/password combinations until successful. [2]

Impact

Successful exploitation enables the attacker to obtain full administrative access to the device, leading to compromise of all data (confidentiality), ability to modify device settings (integrity), and potential denial of service (availability). The attacker gains administrative privileges over the device. [2]

Mitigation

TP-Link has released fixed firmware version 1.15.0 Build 250729 Rel.63489n(4555) for Archer C64 v1, available from the TP-Link download page [1]. Users should update to this version to remediate the vulnerability. No workaround is documented; the device is not sold in the US according to the advisory. [2]

References
  1. Download for Archer C64 | TP-Link
  2. Security Advisory: Improper Authentication Rate Limiting on Archer C64 (CVE-2026-8697)

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.