US Agencies Back Banning Top-Selling Home Routers on Security Grounds

More than a half dozen federal departments and agencies have backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor's ties to mainland China make them a national security risk, Washington Post reported Thursday, citing people briefed on the matter. From the report: The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company's former assets in China.

The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said. "TP-Link vigorously disputes any allegation that its products present national security risks to the United States," Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. "TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond."

If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.

Malicious or not, TP-Link devices have issues

[Echoez]

Whether it's because of the CCP or just bad software development practices, TP-Link devices of all sorts have been riddled with tons of issues.

https://www.tomsguide.com/comp... [tomsguide.com]

https://thehackernews.com/2025... [thehackernews.com]

(This summary is from ChatGPT)
CVE202333538 – A command-injection vulnerability in models such as TL-WR940N V2/V4, TL-WR841N V8/V10, TL-WR740N V1/V2.
CVE20231389 – A command injection flaw in the Archer AX-21 model that has seen exploit attempts.
CVE202453375 – Authenticated remote-code-execution (RCE) vulnerability in the “HomeShield” feature of some Archer router series.
CVE20259377 – An OS command-injection vulnerability in models “Archer C7(EU) V2” and “TL-WR841N/ND(MS) V9” via the Parental Control page.
CVE202525427 – A stored XSS (cross-site scripting) vulnerability in UPnP page of WR841N v14/v14.6/v14.8.
CVE20259961 – Authenticated RCE via CWMP binary, affecting AX10 & AX1500 series, exploitable only via MITM (Man-in-the-Middle).

At some point, it makes sense to ban these on the grounds that they pose a security risk regardless of whether that risk is from malicious intent or just terrible software engineering practices.

OpenWRT

[Meneth]

Assuming those exploits target the software and not the hardware, then installing OpenWRT would fix them.

Re: OpenWRT

[Plugh]

Yep! If they really want to increase security, a relatively tiny yearly fund for OpenWRT security red/blue teaming would help homes businesses and I bet lots of military too

Re:

[sconeu]

Except OpenWRT is not supported on a lot of modern (AX) TP-Link devices.

Re:OpenWRT

[tlhIngan]

You can get routers that run OpenWRT out of the box. GL.inet uses OpenWRT as their base router OS. They have wonderful travel routers but also make regular home routers.

And they support WiFi 7 as well.

They even list which version of OpenWRT are used on their routers.
https://www.gl-inet.com/suppor... [gl-inet.com]

(And their stuff is easily available on Amazon)

Re:

[sconeu]

Yeah, but this subthread was about getting rid of any Chinese spy/malware by installing OpenWRT on your TP-Link.

Re:

[aaarrrgggh]

Very big assumption. I'm even skeptical with companies like Ubiquiti on their routers given how much responsibility they have contracted out.

Re:Malicious or not, TP-Link devices have issues

[Petersko]

Try that same investigative path on ANY router manufacturer.

https://www.asus.com/security-... [asus.com]
https://www.cisa.gov/known-exp... [cisa.gov]

The question is whether TP-Link stuff is an outlier in terms of vulnerabilities, and a cursory search says it depends who you ask, but it seems like they're at least average.

Re:Malicious or not, TP-Link devices have issues

[AmiMoJo]

Yeah, about that... Here's a list of Linksys CVEs that are scored 9.0 or above:

CVE-2002-2159, CVE-2008-0228, CVE-2008-1247, CVE-2008-1268, CVE-2008-4594, CVE-2009-3341, CVE-2009-5157, CVE-2010-1573, CVE-2010-2261, CVE-2013-4658, CVE-2017-17411, CVE-2018-17208, CVE-2018-3953, CVE-2018-3954, CVE-2018-3955, CVE-2019-11535, CVE-2019-16340, CVE-2020-35713, CVE-2020-35715, CVE-2022-38555, CVE-2023-46012, CVE-2024-33789, CVE-2024-57223, CVE-2024-57224, CVE-2024-57225, CVE-2024-8408, CVE-2025-34037, CVE-2025-45487, CVE-2025-45488, CVE-2025-45489, CVE-2025-45490, CVE-2025-45491, CVE-2025-4999, CVE-2025-5000, CVE-2025-5441, CVE-2025-5442, CVE-2025-5443, CVE-2025-5444, CVE-2025-5445, CVE-2025-5446, CVE-2025-5447, CVE-2025-6751, CVE-2025-6752, CVE-2025-8816, CVE-2025-8817, CVE-2025-8819, CVE-2025-8820, CVE-2025-8822, CVE-2025-8824, CVE-2025-8826, CVE-2025-8831, CVE-2025-8832, CVE-2025-8833, CVE-2025-9245, CVE-2025-9246, CVE-2025-9247, CVE-2025-9248, CVE-2025-9249, CVE-2025-9250, CVE-2025-9251, CVE-2025-9252, CVE-2025-9253, CVE-2025-9355, CVE-2025-9356, CVE-2025-9357, CVE-2025-9358, CVE-2025-9359, CVE-2025-9360, CVE-2025-9361, CVE-2025-9363, CVE-2025-9392, CVE-2025-9393, CVE-2025-9481, CVE-2025-9482, CVE-2025-9483, CVE-2025-9525, CVE-2025-9526, CVE-2025-9527

Is there anyone else in the consumer/SOHO space you would recommend?

Re:

[sabbede]

Ubiquity firewalls are pretty cheap and run custom OpenWRT. Or a mini PC with Pfsense.

Re:

[kbahey]

Is there anyone else in the consumer/SOHO space you would recommend?

There are some routers now that ship with OpenWRT, and you can update them to later versions.
So these won't be plagued with security issues to the same extent as proprietary firmware from the manufacturer.

Many of them use the MediaTek Filogic SOC [mediatek.com].

One such company is Cudy [cudy.com], which is available for purchase on Amazon. For example, their WR3000H [openwrt.org] has 1 x 2.5Gbps port, used to be C$99 on Amazon [amazon.ca].

Re:

[AmiMoJo]

I am considering Cudy products at the moment. They are well priced and seem like decent hardware. To some extent there isn't that much difference between many of the products now, they are all essentially a couple of reference designs for a handful of chips.

Might try one of their POE access points.

The is the OpenWRT One as well. The form factor is a bit awkward, with the ethernet ports and antenna jacks on the same side, and it could do with a cover for cosmetic reasons, but it has the big advantage of bein

Re:

[labnet]

I run Ubiquiti Edge router at home and pfSense at work. Both are rock solid.

Re:

[flink]

I use their Omada line of SOHO APs, controller, and managed switches. I find that they are quite solid and patches come out pretty regularly. I'd never trust their router though. Everything lives behind an OPNSense router/firewall running on a mini-pc.

Re:

[Canberra1]

ASUS and other brands have the same cheesy pathetic cut and paste firmware, so zero progress has been made, including the ones made in Vietnam. standards and audits matter. but like Boeing, the regulators lack core competencies when disclosed cves yell shut them down. CISCO may also face issues.

Tough call...

[Petersko]

The problem is that having 6 federal agencies back a proposal used to mean something valuable. Now it just seems like they think it's the politically acceptable thing to do. And so it's useless if you're just trying to evaluate risk. The destruction of the trustworthiness of these agencies is catastrophic, and will live far beyond the four year horizon.

The thing is, those agencies might be giving an honest assessment, and are collectively just trying to do their jobs as well as they can. There's just no way to know.

Re:

[cusco]

A message from our rulers:

BE AFRAID!!! BE VERY AFRAID!!!

Frightened people are easier to control.

Re:

[cusco]

The message they're spewing isn't "worry about your hardware being used in DDOS attacks", it's "THE CHINESE ARE GOING TO SPY ON YOU!!11!!!11"

Thought that was obvious.

Re:

[phantomfive]

It's been that way since at least Bush. WMDs.

Re:

[jacks smirking reven]

Bush at least had to good sense to limit his destruction of agencies to the intelligence areas and even then the established ones were not the ones lying so boldly, the admin created a wholly new department to disseminate their bad facts. Office of Special Plans [wikipedia.org] specifically because the actual CIA data was not pointing to WMD's.

This is bad and had very bad outcomes but it's distinct in an important way I think.

Re:

[phantomfive]

Bush at least had to good sense to limit his destruction of agencies to the intelligence areas

Lies: https://www.theguardian.com/en... [theguardian.com]

You have recency bias.

Re:

[jacks smirking reven]

Obviously we were talking about Iraq buildup and not every single aspect of the admin but I respect the hustle. [knowyourmeme.com]

Re: Tough call...

[Plugh]

This is a faith-based administration. Evidence and science are for eggheads, see? Cuffy Meigs and his gang are in change now

Re:

[BoB235423424]

Security risk discussion of TP-Link devices has been going on for over a year. This predates the current Administration.

Shame

[AmiMoJo]

TP-Link hardware is generally quite decent, and a lot of their gear can be flashed with OpenWRT if you don't like their firmware.

Their firmware isn't bad though. They update it when needed, and they don't disable features just to upsell you the next model, generally if the hardware can do it they will have that feature enabled.

Re:

[drinkypoo]

Their firmware isn't bad though.

Loads of severe vulnerabilities

They update it when needed

No they don't. They regularly abandon devices with unfixed flaws, like everyone else.

Re:

[AmiMoJo]

TP-Link don't seem to be worse than the competition for security issues. Certainly better than Cisco/Linksys and... Actually that's it for US manufacturers, isn't it? You can get a bit better if you pay a lot more, like some of the Unify stuff, but not in that price bracket.

Otherwise it's Taiwanese vendors like D-Link and Asus, neither of which I rate very highly. Neither offer very good security or support.

I wonder who is next. GL.iNet have a lot of very good products (their Flint routers are very well rec

Re:

[sabbede]

Ubiquity isn't even out of the bracket. They fall on the high end, ~$200, but that gets you a 10gigabit router with wifi 7. Comparably spec'd Linksys and Netgear routers cost about the same. Plus, I'm pretty sure they're still OpenWRT based.

Asus has been tied to slave labor, so I won't buy from them anymore. I just wish I had found that out before I rebuilt my computer instead of shortly after.

Re:

[AmiMoJo]

I thought Ubiquity needed some proprietary controller app thing.

Re:

[DaFallus]

You only need it to adopt new hardware, make configuration changes, install firmware updates, etc. I have mine running in a docker container, but I'm pretty sure they still have an application you can just run on your computer. Or you can buy an official piece of hardware dedicated to hosting the controller.

Re:

[AmiMoJo]

Yeah, that's a deal breaker for me. Web UI, ideally OpenWRT.

Re:

[labnet]

EdgeRouter which I use has a web interface for control. Their Unifi range uses proprietary controller, which is most of the switch and wireless stuff. We have about 40 unifi products on our work network, and their control plane is awesome.

Re:

[AmiMoJo]

Ah, thanks, that's interesting. I will have another look at their stuff again then. I'm looking at access points. Looking for something WiFi 7 with tri-band and POE.

Ban closed routers

[drinkypoo]

Here's a plan, ban any routers where the system isn't FOSS with anti-tivoization.

I know, not gonna happen.

But it's the only rational solution.

Re:

[cusco]

Open Source is not the magic wand to fix every security issue, how many issues have sat in Linux for years or even decades before being found and addressed?

Re:

[drinkypoo]

Open Source is not the magic wand to fix every security issue

Straw man

how many issues have sat in Linux for years or even decades before being found and addressed?

How many issues have sat in Windows for years or even decades before being found and addressed? You will NEVER KNOW because that information is a SECRET. You're acting like Linux isn't superior from a security standpoint when we all know it is, and it's sad. Bill Gates will never appreciate you.

Re:

[Petersko]

To be fair, his was not a straw man. There are legitimate examples that demonstrate his point. Log4j is a good one.

But your Windows point is a non sequitur. He didn't say anything about Windows. He just said open source wasn't a magic wand, and that's true.

Re: Ban closed routers

[drinkypoo]

It was a straw man because no one claimed what he said wasn't the case. You could just look up logical fallacies if you are confused about them.

Re:

[sabbede]

Wait. Since when is the straw man fallacy dependent upon someone challenging it? Do they cease being fallacious when someone says they aren't true, or were they already fallacious regardless of whether or not anyone noticed?

Re: Ban closed routers

[drinkypoo]

You could just look up logical fallacies if you are confused about them, x2

Re:

[Petersko]

I understand the straw man fallacy. No need to be condescending. I just thought that his point and yours weren't that far apart. You went all the way to "ban non-FOSS", and his response, while exaggerated, was still on point, the point being that wouldn't fix everything. You leapt on the literal text while ignoring the intent. And anybody reading it would have known what he meant.

Re:

[sarren1901]

It's an insinuation that closed source is better. Just looking up CVEs will tell that's not true.

Re:

[Petersko]

I didn't read that insinuation, not at all. His post was concise and clear.

Re:

[cusco]

In Win NT 3.51 the printer driver ran in kernel mode, substituting a corrupted kernel could introduce all sorts of security issues. They attempted to deal with it in Service Pack 3, and it broke all sorts of apparently-unrelated things. Can't remember if they withdrew the SP or if they just recommended not installing it unless you had to. Anyway, that issue was finally addressed just a couple of years ago, I think with the introduction of Win11 protected printing mode. Apple and Adobe used to be famous

Re:

[cusco]

Oh, carp. Substituting a corrupted driver, not a corrupted kernel. Need coffee . . .

Re:

[sabbede]

So, what you're saying is that long-standing vulnerabilities exist and have been overlooked on both platforms. You're just saying it angrily as if that makes another point?

Re:

[drinkypoo]

So, what you're saying is that long-standing vulnerabilities exist and have been overlooked on both platforms.

That's not only not what I said, it's not relevant to what I said.

Re:

[sabbede]

Well, you are both saying that issues have sat "for years or even decades before being found and addressed" on each platform, and neither of you appears to have challenged the accuracy of the other's statement.

We can further extend that to all software, as vulnerabilities going unnoticed for years can happen with any code base - and thus see that the two of you are just angrily recognizing this basic truth.

There are tradeoffs with both the open and closed source models. Open source makes it easier to

Re:

[ArchieBunker]

One word. Heartbleed.

Re:

[ctilsie242]

It means a router has a lot longer lifespan, because -someone- may spend a lot of time maintaining the firmware for it. Having it closed off means the device is e-waste.

Re:

[caseih]

And open source has to go beyond just the operating system. All the chip firmwares need to be open as well. This is currently a huge problem for any embedded Linux. Even the OpenWRT One flagship router has a proprietary blob firmware. Whether this is because of RF regulations I don't know, but it's not acceptable.

In some ways we live in a golden age of open source, but in other ways, things are much, much more closed than they were decades ago.

Open Source everything, and prove it's safe!

[Murdoch5]

There's no real hardship here, just open source the hardware, software, designs, and then spin this around and force the US government to prove there's anything to be concerned about. Secure chains of trust are available, so everything can be validated, signed and audited, so really there is no good argument against doing this, unless you have something to hide! Keep in mind going open source does not mean giving away everything for free, it just means you're being accountable.

Re:

[Petersko]

Unless the government's goal is to promote the idea "Chinese! Scary!" In which case every last drop of that effort is a complete waste.

Re:

[Murdoch5]

Yes, but that's a different issue, and if you can show that using the government's baseless methodology, you can probably cause a good amount of change. From TP Links side, there isn't a downside to this, they can prove reliability, safety, security and privacy, and shut the government up.

Re:

[HiThere]

It wouldn't shut the government up, but it would undercut them with anyone who wasn't a "true believer".

Re:

[Murdoch5]

That's effectively the same thing, you'd somehow discredit the administration more than they're already discredited, which granted is hard.

Re:

[anyGould]

I thought the plan was "Don't use that Chinese product - the Chinese government has backdoors in it! Use Good ol' American products, with good ol' American backdoors!"

Re:

[packrat0x]

The Federal government can certainly require open source equipment for Federal Agencies and Federally Funded projects. Probably lean on banks, hospitals, utilities, and other regulated industries to switch over. Consumer goods can be listed as "Not Recommended".

Re:

[Murdoch5]

They should demand open source, as should most companies. If a company is willing to provide the evidence they're above board, and can show verification that what they're showing you is what you're going to get, then there is no downside.

Re:

[BoB235423424]

Having worked at a large software company that provided software to many government and defense agencies around the world, we often would have code reviews with those entities. We did one in a conference room with no networking. After a couple weeks of them reviewing the code, we ran a build of it in that room and they took the binaries produced from the code they reviewed. Government agencies do get source access and the ability to review it from proprietary developers. It's part of the contract when y

Re:

[Murdoch5]

I've been involved in DoD level platform sign off. One of the companies I used to work for had a platform X, that was closed AF, to spite my objections. The DoD has us do a live demo of it in Virginia in a closed meeting. We had to submit the platform for a ton of security testing, BUT, we never had to submit source code. I had to bring the platform with me, on a CD, and show it running on a server they provided, but again, never had to hand over source. I sat in the testing room, with the testers, and

Re:

[Anonymous Coward]

I would say that public access to source code used by government, and publicly held businesses is a fundamental right, over the long term.

This follows from the public right to long term oversight over government, arising under the 9th Amendment as a right 'retained by the people', and the 10th Amendment as a right 'reserved to the people', and a corollary of the dual rights to ethical practice of law and ethical government.

However, as a long term right it doesn't require the source code to be open source, s

Money would fix the issues

[evil_aaronm]

I'll bet a "campaign contribution" to Trump would mollify these agencies, and induce them to drop their warnings. And I get it: this is how it works, now. But it also means the agencies have zero effectiveness; they're useless until we get a better executive.

Re:Money would fix the issues

[caseih]

I'm not convinced federal agencies will ever be effective in any way ever again. Even if by some miracle after all the anti-election machinations by the GOP a democrat does get into office, the damage to these agencies is permanent. A new president would essentially have to do his own complete purge, which of course the GOP would loudly claim, with absolutely no sense of irony or hypocrisy, was unconstitutional and worthy of impeachment, and fight tooth and nail in the courts. And even if a democrat purge was successful, it would just be wiped again when the next GOP trump gets in. No honest American would ever want to work for a federal agency under those circumstances, knowing you'd just get fired at the next election.

I try to explain this to my GOP relatives, but they just don't see the problem.

Re:

[cusco]

This is what started happening in Peru, now their government is one of the least effective and most corrupt on the planet.

Re: Money would fix the issues

[TheMiddleRoad]

Damn. Your genes must suck if you have so many maga family members.

Re:

[sarren1901]

Who fucking cares what the GOP think! Democrats need to grow a fucking pair of balls and follow through.

The Democrats will eventually take things back over but it won't matter. Why won't it matter? Because they are spineless and for some reason, listen to the GOP sometimes. How about, next time you have your super majority, you fucking implement your plans you are so sure will work and ignore the naysayers.

You think the Republicans care? I don't and I sometimes even vote for them.

I'd rather vote evil then b

Re:

[BoB235423424]

If the federal government is far too big and ignores the will of the voters, then it needs to be destroyed and rebuilt. It needs to reflect the agenda the voters voted for, not be the 'resistance'. No one elected federal workers to resist the elected President.

Re:

[BoB235423424]

Trump is doing that purge. The bureaucracy was becoming self sufficient and not beholden to the one elected person in the executive branch. It was becoming a self serving government and not democratic. We saw that in Trump's first term where the bureaucrats were being the 'resistance' and not following the President's agenda. If you really want to 'protect democracy' as Democrats keep ranting about, then you'd be all for having a federal government that actually does what the elected President tells th

Re:

[HiThere]

And it's a reasonable thing to worry about. And effective ways to address the worry have been mentioned in several prior posts. But the problem with corrupt government is that it's unreasonable to trust it, even when it's being honest.

Re:

[sabbede]

The agencies are useless now because of something you suspect may happen in the future?

If China is the threat apply the same rules to all

[davidwr]

Only allow manufacturers to ship "China-contaminated" network routers or similar equipment if detailed specifications of the "China-contaminated" parts are published that show nothing hostile is in the device AND there is a feasible method to prove that the "China-contaminated" parts of the hardware match the specifications.

If China is not a threat then leave TP-Link alone.

Re:

[sabbede]

Okay, I'll jump on that horn. Hell, go one step further and ban all network hardware manufactured in China. You have my full support.

Re:

[sabbede]

Force them to use or support specific third party software? No. Besides, the OpenWRT team doesn't need that kind of help, they've managed just fine without government mandates.

Re:

[BoB235423424]

Because the typical consumer is going to change firmware?

I'm no the typical consumer, but the last time I tried both openwrt and tomato, they were unstable and buggy as hell.

banning Chinese devices

[gary s]

If you banning Chinese devices then there is going to be a lot of things on the banning list.

Only OUR National Security Lettered Backdoored...

[BardBollocks]

... routers will be allowed...

hackers security risk in the eyes of these numbskulls, only state actors.

Re:

[BardBollocks]

*hackers aren't a security risk in the eyes of these numbskulls