Click to skip the navigation bar
Search
Search Menu

Security Advisory on Multiple Vulnerabilities on Archer AX53 (CVE-2025-58455, CVE-2025-59482, CVE-2025-59487, CVE-2025-62404, CVE-2025-61944, CVE-2025-61983, CVE-2025-62405, CVE-2025-58077, CVE-2025-62673 & CVE-2025-62501)

Security Advisory
Updated 02-03-2026 18:57:07 PM Number of views for this article222

Multiple vulnerabilities were identified in TP-Link Archer AX53 v1.0 across tmpserver and tdpserver modules, concerning multiplel heap-based buffer overflow conditions.

Description of Vulnerabilities and Impacts:

Heap-based Buffer Overflow Vulnerabilities:

CVE-2025-58455: due to Packet Length Exceeding Expected Limits

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.

CVE-2025-59482: due to Insufficient Validation of a Packet Field Length

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.

CVE-2025-59487: due to Improper Validation of Packet Field Offset

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine the write location in memory. By crafting a packet with a manipulated field offset, an attacker can redirect writes to arbitrary memory locations.

CVE-2025-62404: due to Maliciously Formed Field in tdpserver Module

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value.

CVE-2025-61944: due to Excessive Zero-Length Fields

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.

CVE-2025-61983: due to Excessive Number of Zero-Length Fields

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values.

CVE-2025-62405: due to Overly Long Packet Field

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.

CVE-2025-62405: due to Overly Long Packet Field

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value.

CVE-2025-58077: due to Excessive Number of Host Entries in Packets

‘tmpserver modules’ allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries

The above vulnerabilities have the same CVSS score ratings:

CVSS v4.0 Score: 7.3 / High

CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE-2025-62673: due to Malformed Field in tpdserver

‘tdpserver modules’ allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field.

CVSS v4.0 Score: 8.6 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE-2025-62601: SSH Hostkey Misconfiguration Vulnerability Enabling Potential MiTM Credential Interception

SSH Hostkey misconfiguration vulnerability in ‘tmpserver modules’ allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused.

CVSS v4.0 Score: 7.0 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Affected Product Model

Affected Version

Archer AX53 v1.0

< V1_260119

Recommendations:

We strongly recommend that users with affected devices take the following actions:

  1. Download and update to the latest firmware version to fix the

EN: Download for Archer AX53 | TP-Link

MY: Download for Archer AX53 | TP-Link Malaysia

AX53 v1 is not sold in the US.

Disclaimer:

If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.

Looking for More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.

Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.

Your Privacy Choices

As explained further in our website Privacy Policy, we allow certain advertising partners to collect information from our website through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing"/disclosure of personal data for "targeted advertising" as defined by certain U.S. state laws. To opt out of these activities, press "Opt Out" below. If the toggle below for "Targeted Advertising and 'Sale' Cookies" is to the left, you are already opted out and you can close these preferences.

Please note that your choice will apply only to your current device/browser. You must indicate your choice on each device and browser you use to access our website. If you clear your cookies or your browser is set to do so, you must opt out again.

These cookies are necessary for the website to function and cannot be switched off.

These cookies allow targeted ads or the "sale" of personal data (toggle to the left to opt out).

Analytics cookies enable us to analyze your activities on our and other websites in order to improve and adapt the functionality of our website and our ad campaigns.

Advertising cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Welcome to Our Website! If you stay on our site, we and our third-party partners use cookies, pixels, and other tracking technologies to better understand how you use our site, provide and improve our services, and personalize your experience and ads based on your interests. Learn more in your privacy choices.