A flaw exists in four models of TP-Link Wi-Fi range extenders that could let an attacker take over the device through the internet and see everything you do online.
The flaw was discovered in a TP-Link RE365 model, sold in Europe, by IBM X-Force researcher Grzegorz Wypych and disclosed today (June 18). In an official IBM blog post, Wypych said he had privately contacted TP-Link, which confirmed the flaw.
Wypych said the company told him the flaw also affected the RE650 model, sold in the United States, the United Kingdom and Canada, as well as two older models, the RE350, sold in all three countries, and the RE500, sold in the U.S. and Canada.
TP-Link has posted patches for all four models on its website. The patches must be downloaded and installed manually by the user, who must also make sure that he or she has the correct hardware version corresponding to the firmware, as well as the firmware corresponding to the user's country of residence.
Here are links to the U.S. firmware of the RE350 (opens in new tab), the RE500 (opens in new tab) and the RE650 (opens in new tab), the U.K. firmware of the RE350 (opens in new tab), the RE365 (opens in new tab) and the RE650 (opens in new tab), and the Canadian firmware of the RE350 (opens in new tab). Canadian firmware patches for this flaw do not yet appear to be available for the RE500 and the RE650.
For other countries or regions, change the "us", "uk" or "ca" in each URL to your country or region's internet country code, e.g. "eu", "pt" or "pl", or go to TP-Link's "Choose your location (opens in new tab)" page to be redirected to the front page of each regional TP-Link website.
The firmware to download and install will be dated to late May or early June with the note "Fixed CVE-2019-7406 discovered by IBM to increase security."