Security Advisory: Weak Password Hashing Mechanism in TP-Link Deco M5 (CVE-2026-5040)
Vulnerability and Impact Description:
CVE-2026-5040
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks.
Successful exploitation may result in disclosure of authentication credentials, enabling unauthorized access to device management functions, depending on the privileges associated with the recovered password. The primary security impact is loss of confidentiality.
CVSS v4.0 Score: 7.1 / High
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Product Model |
Hardware Version |
Fixed Firmware Version |
|
Deco M5 |
v1 |
1.9.4 Build 20260312 Rel.17129 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Update affected devices to the latest firmware version that fixed the vulnerability:
EN: Download for Deco M5 | TP-Link
US: Download for Deco M5 | TP-Link
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable.
Looking For More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.