I understand all this just so you know.
That's not clear in our communication FWIW
What I am saying is there are hundreds of millions if not more typical consumer routers in American homes bought in places like Walmart and Best Buy, TP link is just one of them.
OK, and your point in mentioning this is what? You know how many botnets are out there? How many people are blissfully unaware that they've been compromised? TP-Link is a Chinese company, as
@Rand has mentioned. They'd be the last people I'd be trusting on the perimeter of my network, but you are free to do you, as I've learned from the numerous exchanges on here, once you've got your mind set on something, nothing is going to change that.
There is also Netgear Linksys and to some degree Asus … out of all these brands TPLink is no worse or better.
CVE's:
Netgear: 1,142
TP-Link: 332
ASUS: 249
Linksys: 128
Netgear makes a ton of equipment, and has been around a very long time, their oldest CVE is from 2001. TP-Link's oldest CVE is from 2012. I don't see any really spicy ones for Netgear that are recent, same with Linksys. The most recent ones for Linksys apply to ancient devices.
The latest TP-Link CVE is from March 5th, 2024:
Cross-Site Scripting (XSS) vulnerability stored in TP-Link Archer AX50 affecting firmware version 1.0.11 build 2022052. This vulnerability could allow an unauthenticated attacker to create a port mapping rule via a SOAP request and store a malicious JavaScript payload within that rule, which could result in an execution of the JavaScript payload when the rule is loaded.
Or how about this one from January 4th, 2024:
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product to execute arbitrary OS commands. Affected products/versions are as follows: Archer AX3000 firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115", Archer AX5400 firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115", Archer AXE75 firmware versions prior to "Archer AXE75(JP)_V1_231115", Deco X50 firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122", and Deco XE200 firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120".
This ASUS one from February 19th, 2024 is a real banger:
A Null pointer dereference in usr/sbin/httpd in ASUS AC68U 3.0.0.4.384.82230 allows remote attackers to trigger DoS via network packet.
The question isn't whether vulns will exist in these other brands, they will, it's the nature of all network gear. It's whether they are:
A. Easily exploited
B. Going to be patched
Tying into "B" there, does the device do automatic firmware updates? Because Joe Average home user isn't going to be manually checking. In the more commercial space, this has been a huge issues with Fortinet, people running ancient firmware and their firmware being full of holes.
So my attitude is more or less pick your poison.
I’ll always be running a relatively recent router versus the tens of millions older ones that are much more susceptible for those who fear an issue.
That's folly. Just because they are old doesn't mean they are more susceptible. CVE's that apply to newer devices often DON'T apply to older devices because they are running older generation firmware that doesn't have those same issues or lack the feature that the vuln is present in. For the same reason Ubuntu server ships with a 5-series kernel while 6/7 series are "current", "relatively recent" is not inherently better, particularly if the brand has spotty security and QC history.
I’m not concerned other than to have a relatively recent router and I do believe the more popular brands and models will have issues discovered much more rapidly than lesser sold models.
But then again, I ride a motorcycle too
I have no problem if somebody wants a prosumer as you call it device. Those devices are very limited.
Yes, you've made it abundantly clear that you are "not concerned". I work in the industry, I'm quite concerned, if I wasn't concerned, I wouldn't be doing my job.
You'll have to explain to me your statement that prosumer devices are "very limited", because as presented, it makes no sense.