CVE-2026-5511 — Improper Input Validation on TP-Link's Archer AX72

via Diagnostic Interface

George Chen

~2 min read · May 20, 2026 (Updated: May 20, 2026) · Free: Yes

Summary

In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.

An authenticated attacker could exploit this gap to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data.

Disclosure Timeline

December 2025 — reported to TP-Link (security@tp-link.com)
January 2026 — TP-Link accepted and requested ~90days for remediation
April 2026 — TP-Link shared beta firmware containing fix for me to verify and asked for 30-day disclosure extension
May 2026 — TP-Link published CVE-2026–5511, bulletin on Security Advisory, as well as firmware fix

Thanks TP-Link for the partnership in fixing this one!

https://www.cve.org/cverecord?id=CVE-2026-5511

https://www.tp-link.com/sg/press/security-advisory/

#tp-link #router #cve #security-hardening #singapore

< Go to the original

CVE-2026-5511 — Improper Input Validation on TP-Link's Archer AX72

via Diagnostic Interface

Summary

Disclosure Timeline

Reporting a Problem