Patch Your TP-Link Wi-Fi Range Extender Now

A flaw exists in four models of TP-Link Wi-Fi range extenders that could let an attacker take over the device through the internet and see everything you do online.

Credit: TP-Link

(Image credit: TP-Link)

The flaw was discovered in a TP-Link RE365 model, sold in Europe, by IBM X-Force researcher Grzegorz Wypych and disclosed today (June 18). In an official IBM blog post, Wypych said he had privately contacted TP-Link, which confirmed the flaw.

Wypych said the company told him the flaw also affected the RE650 model, sold in the United States, the United Kingdom and Canada, as well as two older models, the RE350, sold in all three countries, and the RE500, sold in the U.S. and Canada.

TP-Link has posted patches for all four models on its website. The patches must be downloaded and installed manually by the user, who must also make sure that he or she has the correct hardware version corresponding to the firmware, as well as the firmware corresponding to the user's country of residence.

Here are links to the U.S. firmware of the RE350, the RE500 and the RE650, the U.K. firmware of the RE350, the RE365 and the RE650, and the Canadian firmware of the RE350. Canadian firmware patches for this flaw do not yet appear to be available for the RE500 and the RE650.

For other countries or regions, change the "us", "uk" or "ca" in each URL to your country or region's internet country code, e.g. "eu", "pt" or "pl", or go to TP-Link's "Choose your location" page to be redirected to the front page of each regional TP-Link website.

The firmware to download and install will be dated to late May or early June with the note "Fixed CVE-2019-7406 discovered by IBM to increase security."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.