Brute Force Vulnerability in TP-Link Archer C64 SSH Service
CVE-2026-8697

8.7HIGH

Key Information:

Vendor: Tp-link Systems Inc.
Status: Archer C64 V1.0
Vendor: CVE Published:; 28 May 2026

🔔 Create Tp-link Systems Inc. Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-8697?

The TP-Link Archer C64 v1 contains a flaw in its debug SSH service that fails to enforce proper authentication rate-limiting. This vulnerability allows an attacker to execute unlimited authentication attempts using the same credentials as those utilized on the device's web interface. By gaining adjacent network access, an attacker can potentially brute-force valid SSH credentials, leading to unauthorized administrative access. Such exploitation poses significant risks to the confidentiality, integrity, and availability of the system's data and functions.

Affected Version(s)

Archer C64 v1.0 0 < 1.15.0 Build 250729 Rel.63489n(4555)

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2026-8697
Created by itzmetanjim

References

https://www.tp-link.com/en/support/download/archer-c64/v1...

patch

https://www.tp-link.com/us/support/faq/5105/

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 29, 2026
👾
Exploit known to exist
May 29, 2026
Vulnerability published
May 28, 2026
Vulnerability Reserved
May 15, 2026

Credit

Tanjim Kamal

CVE-2026-8697 Data

JSON