CVE-2026-9770
Severity CVSS v4.0:
HIGH
Type:
CWE-321
Use of Hard-coded Cryptographic Key
Publication date:
15/07/2026
Last modified:
15/07/2026
Description
Kasa EC71 v4 and EC70 v4 firmware contains a static cryptographic private key stored in a read-only filesystem<br />
that is shared across devices. An<br />
attacker with access to the firmware image can extract the embedded key. <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Successful<br />
exploitation may allow an unauthenticated attacker on the same network to use<br />
this key in the web management service, compromising the confidentiality of<br />
encrypted communications. This may enable passive decryption of traffic or<br />
active man-in-the-middle (MITM) attacks
Impact
Base Score 4.0
8.60
Severity 4.0
HIGH
References to Advisories, Solutions, and Tools
- https://www.tp-link.com/en/support/download/ec70/v4/#Firmware-Release-Notes
- https://www.tp-link.com/en/support/download/ec71/v4/#Firmware-Release-Notes
- https://www.tp-link.com/us/support/download/ec70/v4/#Firmware-Release-Notes
- https://www.tp-link.com/us/support/download/ec71/v4/#Firmware-Release-Notes
- https://www.tp-link.com/us/support/faq/5192/



