Table of Contents
Peplink released Firmware 8.5.4 on February 16, 2026, and this update deserves your attention whether you manage a single router or a fleet of hundreds. The release combines a critical security advisory, a long-requested hardware feature, and a broad sweep of cellular, DNS, VPN, and system stability fixes that affect nearly every device in the Peplink lineup.
Here is a full breakdown of what changed and what it means for your deployment.
Critical Security Fix: API Remote Code Execution Vulnerability
The most important item in this release is reference 35920, a security advisory patching a vulnerability in the Peplink API that could allow remote code execution. This fix applies to all supported models. If you are running any Peplink device on a network-accessible interface, upgrading to 8.5.4 should be treated as a priority, not a routine update. Peplink has not published full exploit details, which is standard practice for security disclosures, but the severity classification warrants prompt action.
What Is New: Improvements
iPhone USB Tethering (ref 35953)
Firmware 8.5.4 adds native support for using an iPhone as a USB mobile modem. This is a genuinely useful addition for deployments where a spare iPhone can serve as a backup WAN source without requiring a separate cellular router or adapter. Supported devices include the Balance 310 5G, 310 Fiber 5G, 310X, 380X, 580X, 305, 380, 580, 1350, 2500, 1350/2500/5000 EC, MAX BR2 Pro HW4, HD2/4 MBX, MBX Mini, B One, B One 5G/Plus, all MediaFast models, SDX, SDX Pro, and EPX.
Faster HA Configuration Sync (ref 36035)
High Availability deployments will benefit from a change to the HA configuration synchronization interval, which has been tightened from 5 minutes down to 2 minutes. For mission-critical setups, this means configuration changes replicate to the standby unit twice as fast, reducing the window of divergence between primary and secondary during a failover event. This applies to all models except FusionHub.
InControl Tunneling Protocol Update (ref 36045)
The tunneling protocol used for Remote Web Admin and InTouch connections through InControl has been updated for enhanced security. This is a behind-the-scenes change that strengthens encrypted management access without requiring any configuration changes on your end.
Improved Wi-Fi WAN Roaming (ref 35950)
Devices using Wi-Fi WAN with a DHCP connection method will see improved roaming behavior in this release. This fix was backported into several 8.5.0 staging builds but is now included as a full release for affected models including the Balance 20X, 310 Fiber 5G, most MAX models, B One/B One 5G/Plus, UBR Plus, MediaFast HD2/HD4, PDX, and MBX.
Captive Portal SSL Certificate Update (ref 35968)
The Captive Portal SSL certificate has been refreshed across all models except FusionHub, preventing potential certificate warnings for guest network users.
Resolved Issues
This release addresses an extensive list of bugs. The highlights most relevant to Peplink customers and MSPs managing cellular deployments are below.
Cellular
Three cellular-related fixes land in 8.5.4. Automatic carrier selection was being re-applied repeatedly even when it was already active (ref 35954), a behavior that could cause unnecessary reconnection cycles on live connections. Separately, cellular module firmware upgrades could fail in certain conditions (ref 35977), and devices with 5GK cellular modules could see cellular service drop unexpectedly while in 5G mode (ref 35952). All three issues are resolved across the full range of cellular-capable models.
A fourth fix (ref 35477) addresses a situation where missing model or network mode information on 5GH devices could prevent the cellular connection from establishing at all. If you have seen unexplained cellular connection failures on 5GH hardware, this fix is likely the culprit.
DNS Proxy and DNS-over-HTTPS
Custom DNS servers were not functioning properly when a device was in the HA slave role (ref 35960). DNS-over-HTTPS with Quad9 servers was also broken (ref 35969). A third DNS issue (ref 35979) caused DNS traffic to be handled incorrectly when grouped networks were enabled via DPI. All three are now resolved.
eSIM and RemoteSIM
Peplink eSIMs could be skipped during SIM failover when the device could not reach InControl (ref 35985). BYO eSIM details were not displayed in Synergy mode (ref 35983). RemoteSIM traffic over Synergy could fail to establish (ref 35197), and WAN Restriction mode could take a long time to refresh rules when Remote SIM servers used hostnames rather than IP addresses (ref 35962). All four issues are patched.
InControl and Remote Management
Remote Web Admin was non-functional when accessed from InControl on 8.5.4 Beta 1 (ref 36046), and synergized devices could fail to come back online in InControl after the synergy link was disconnected and the device rebooted (ref 36038). Both are resolved in the final 8.5.4 build.
Outbound Policy and VPN
Outbound policy rules were not falling back correctly when an IPsec VPN connection was unavailable (ref 35967). This could result in traffic taking an unintended path when a VPN tunnel went down. The fix applies to all models except FusionHub.
Wi-Fi
Two Wi-Fi fixes address client connectivity failures. Wi-Fi clients could not connect to an SSID when both IPv6 and per-port VLAN were enabled simultaneously (ref 35936). Wi-Fi WAN could also fail to reconnect to WPA3 access points after a disconnect (ref 35944). Both issues are resolved across most MAX, Balance, B One, UBR, and MediaFast models.
USB WAN
USB WAN configuration changes were not being saved through a reboot (ref 35982), which would require manual reconfiguration after any power cycle. This is fixed across Balance, MAX, B One, MediaFast, SDX, and SDX Pro models.
Switch Controller
Two Switch Controller fixes are included: peer device serial numbers were not being reported to InControl via LLDP (ref 36014), and configuring External Access to VLAN could cause an SD Switch device to go offline after syncing with the Switch Controller (ref 36052). A third fix (ref 34263) restores correct reporting of managed switch online status and forwarding of switch reports to InControl.
GPS Forwarding
GPS forwarding could fail when certain GNS message formats were received (ref 35949), affecting the Balance 20X, 310X, most MAX models with GPS, UBR Plus, PDX, SDX, SDX Pro, and EPX.
System
Multicast relay traffic was using an incorrect source MAC address (ref 35946), power-off logs were showing incorrect timestamps (ref 35957), and a general system stability issue was also addressed (ref 35961). All apply to all supported models.
Important Notices Before Upgrading
A few things to keep in mind before you push this update:
The Balance 310 HW5 is not included in this release. Peplink has indicated a separate firmware build is coming to address that model specifically.
Several older models are entering maintenance-only support under the 8.5.x branch and will not receive further major firmware updates. This includes older Balance hardware such as the 30 LTE HW3, 30 Pro HW1, 210 HW4-5, 310 HW4, and One HW1-3/Core HW1, as well as a long list of legacy MAX models. If you are running affected hardware, now is a good time to evaluate a refresh cycle.
SpeedFusion VPN on firmware 8.5.2 or above is not compatible with devices running firmware 8.0.0 or below. If you have mixed-version deployments, plan your upgrades accordingly.
FusionSIM and RemoteSIM users should also upgrade their SIM Injector to Firmware 1.2.5 alongside this router firmware update.
5Gstore Take
Firmware 8.5.4 is not a flashy feature release, but it is exactly the kind of update that keeps enterprise and fleet deployments healthy. The API remote code execution fix alone makes this a mandatory upgrade for any internet-accessible Peplink deployment. Add in the faster HA sync, iPhone USB tethering as a new backup WAN option, and a long list of cellular and DNS reliability fixes, and the case for upgrading is clear.
If you are managing Peplink routers across multiple sites, InControl makes it straightforward to stage and schedule the rollout. If you need help planning your update strategy, selecting hardware, or configuring HA for maximum uptime, our team is here to help. Contact us and we will get you sorted.
FAQ
What is the most important fix in Peplink Firmware 8.5.4?
The most critical fix is a security vulnerability in the Peplink API (ref 35920) that could allow remote code execution. This affects all supported models and should be treated as a priority upgrade.
Which Peplink devices support iPhone USB tethering in firmware 8.5.4?
iPhone USB tethering is supported on the Balance 310 5G/Fiber 5G, 310X, 380X, 580X, 305, 380, 580, 1350, 2500, 1350/2500/5000 EC, MAX BR2 Pro HW4, HD2/4 MBX, MBX Mini, B One/B One 5G/Plus, all MediaFast models, SDX, SDX Pro, and EPX.
Is the Balance 310 HW5 supported in firmware 8.5.4?
No. Peplink has excluded the Balance 310 HW5 from this release and will issue a separate firmware build for that model shortly.
What Peplink models will no longer receive major firmware updates after 8.5.x?
Older hardware including the Balance 30 LTE HW3, 30 Pro HW1, 210 HW4-5, 310 HW4, One HW1-3, and One Core HW1 will only receive 8.5.x maintenance releases going forward. A number of legacy MAX models are also affected. Check the Important Notices section of the official release notes for the full list.
Is SpeedFusion VPN compatible between devices on firmware 8.5.4 and older firmware?
Devices on firmware 8.5.2 or above running SpeedFusion VPN are not compatible with devices on firmware 8.0.0 or below. Mixed-version SpeedFusion deployments should be upgraded together.
