Skip to main content
CVE Vulnerability Database

CVE-2026-5039: TP-Link TL-WR841N Firmware DoS Vulnerability

CVE-2026-5039 is a denial-of-service flaw in TP-Link TL-WR841N Firmware that exploits weak DES-CBC encryption in TDDPv2, allowing attackers to reboot devices and modify configurations. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-5039 Overview

CVE-2026-5039 affects the TP-Link TL-WR841N v13 wireless router. The device implements DES-CBC encryption in its TP-Link Device Debug Protocol version 2 (TDDPv2), but derives the cryptographic key from the default web management credentials. When administrators leave the router in its default configuration, the key becomes predictable to any network-adjacent attacker.

An attacker on an adjacent network can decrypt TDDPv2 traffic, read debug data, modify selected configuration values, and force a device reboot. The flaw is classified under [CWE-1394] for use of a default cryptographic key. The vulnerability impacts integrity and availability while exposing limited confidential data.

Critical Impact

Network-adjacent attackers can recover the TDDPv2 encryption key, tamper with router configuration, and trigger reboots that cause denial-of-service conditions on TL-WR841N v13 devices left at default credentials.

Affected Products

  • TP-Link TL-WR841N hardware revision v13.0
  • TP-Link TL-WR841N firmware (all versions exposing TDDPv2 with default credentials)
  • Deployments retaining the factory default web management credentials

Discovery Timeline

  • 2026-04-23 - CVE-2026-5039 published to the National Vulnerability Database
  • 2026-05-05 - Last updated in the NVD database

Technical Details for CVE-2026-5039

Vulnerability Analysis

The TL-WR841N v13 exposes the TDDPv2 debug protocol over the local network. TDDPv2 wraps its payloads in DES-CBC encryption to protect debug commands and responses. However, the symmetric key used by DES-CBC is not randomized per device or per session. Instead, the firmware derives it from the factory default web administration credentials shipped with every unit.

Because those credentials are publicly documented in TP-Link product literature, any party with access to the same Layer 2 segment can reproduce the key. The attacker does not need to authenticate to the web interface, intercept a handshake, or perform credential brute forcing. Decrypting TDDPv2 traffic provides direct access to a debugging surface that was never intended for untrusted callers.

Once inside the protocol, an attacker can issue commands that adjust certain configuration values and instruct the device to reboot. Repeated reboots constitute a denial-of-service condition for wireless clients that depend on the router for connectivity.

Root Cause

The root cause is a hardcoded derivation of cryptographic material from a static, publicly known default credential set. DES-CBC itself is a deprecated block cipher with a 56-bit effective key, but the more pressing issue here is that the key is predictable rather than secret. This combination of weak cryptography and insecure default configuration aligns with [CWE-1394].

Attack Vector

Exploitation requires adjacent network access, typically a wired LAN port or an associated Wi-Fi client. The attacker reconstructs the DES-CBC key from the documented default credentials, crafts TDDPv2 packets, encrypts them with that key, and sends them to the router's debug listener. The router accepts the packets as authentic, decrypts them, and processes the embedded debug commands. No user interaction is required, and the attack succeeds whenever the device remains at its factory configuration.

No verified exploit code is publicly available for CVE-2026-5039.
The attack flow can be summarized as:
1. Attacker joins the same LAN or wireless segment as the TL-WR841N v13.
2. Attacker derives the DES-CBC key from the documented default web credentials.
3. Attacker constructs a TDDPv2 request, encrypts the payload, and sends it to the router.
4. Router decrypts and executes debug commands (config read/modify, reboot).

Detection Methods for CVE-2026-5039

Indicators of Compromise

  • Unexpected TDDPv2 traffic, typically UDP, directed at the router from client devices on the LAN or wireless network
  • Unscheduled reboots of the TL-WR841N v13 logged by upstream monitoring or by clients losing connectivity
  • Configuration drift on the router, such as altered DHCP, DNS, or wireless settings without an administrator change record

Detection Strategies

  • Capture LAN traffic at a span port and alert on UDP packets matching the TDDPv2 header signature originating from non-administrative hosts
  • Baseline router uptime through SNMP or syslog and flag reboot events that do not correlate with planned maintenance
  • Audit router configuration on a schedule and compare snapshots to detect unauthorized changes to wireless or routing parameters

Monitoring Recommendations

  • Forward router syslog to a centralized log platform and retain authentication and reboot events for correlation
  • Monitor wireless client disconnect storms as a secondary signal for repeated reboot abuse
  • Track inventory of TL-WR841N v13 devices and confirm whether each unit still uses default web management credentials

How to Mitigate CVE-2026-5039

Immediate Actions Required

  • Change the default web management username and password on every TL-WR841N v13 device, which alters the credential material that feeds the TDDPv2 key derivation
  • Restrict access to the router's management network so that only trusted administrative hosts can reach the device on LAN segments
  • Disable wireless networks or apply strong WPA2/WPA3 passphrases to prevent unauthenticated adjacent-network access

Patch Information

No vendor security advisory is linked in the NVD record at the time of publication. Administrators should check the TP-Link Firmware Download page for TL-WR841N v13 for updated firmware that addresses the TDDPv2 key derivation issue and apply it once available.

Workarounds

  • Replace default credentials immediately, since the documented attack relies on predictable key material derived from those credentials
  • Segment the router onto a dedicated management VLAN and block TDDPv2 ports from general user subnets where supported by upstream switching
  • Retire end-of-life consumer routers from environments that handle sensitive traffic and replace them with hardware that supports modern authenticated management protocols
bash
# Configuration example: harden a TL-WR841N v13 after first boot
# 1. Log into the web UI at http://192.168.0.1 with the default credentials.
# 2. Navigate to: System Tools -> Password
#    - Set a new administrator username (not 'admin').
#    - Set a strong administrator password (16+ characters, mixed classes).
# 3. Navigate to: Wireless -> Wireless Security
#    - Select WPA2-PSK (AES) and configure a strong passphrase.
# 4. Navigate to: Security -> Remote Management
#    - Set Remote Management IP Address to 0.0.0.0 to disable WAN-side management.
# 5. Reboot the device and verify that the new credentials are required for login.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.