If you’re running a business on a consumer-grade router, we need to talk. We spent weeks digging through 10 years of public security vulnerability data across 16 router manufacturers — from household names like TP-Link and Netgear to enterprise-focused brands like Cradlepoint and Peplink. The numbers paint a stark picture: consumer routers are overwhelmingly more vulnerable than their enterprise counterparts, and the gap isn’t even close.
This matters now more than ever. In March 2026, the FCC took the unprecedented step of banning new consumer-grade routers manufactured abroad, citing national security risks. The U.S. government has spent the past two years investigating TP-Link — the most popular consumer router brand in America — over its ties to Chinese state-sponsored cyberattacks. And multiple botnets are actively hijacking consumer routers right now to attack American businesses and government agencies.
Here’s what the data says, what it means for your business, and what you can do about it.
What Are CVEs, and Why Should You Care?
A CVE (Common Vulnerabilities and Exposures) is essentially a publicly documented security flaw in a piece of software or hardware. When security researchers or manufacturers discover a vulnerability in a router, it gets assigned a CVE identifier (like CVE-2023-1389) and is catalogued in the National Vulnerability Database (NVD) maintained by NIST.
Think of it like a recall notice for your router’s security. Each CVE means there’s a known way that an attacker could potentially break into, take over, or disrupt that device.
Not all CVEs are created equal. Each one is assigned a CVSS (Common Vulnerability Scoring System) severity score from 0 to 10:
- Critical (9.0-10.0): An attacker can likely take complete control of your device remotely, often without needing a password. These are the “drop everything and patch now” vulnerabilities.
- High (7.0-8.9): Serious flaws that could allow remote code execution, data theft, or significant disruption. Still very dangerous.
- Medium (4.0-6.9): Vulnerabilities that typically require some preconditions to exploit (like being on the local network or having partial access already).
- Low (0.1-3.9): Minor issues with limited impact.
When you see a router brand with hundreds of CVEs — and dozens of them rated Critical or High — that’s a router that has been repeatedly proven to be hackable in serious ways.
The Data: Consumer vs. Enterprise (2016-2026)
We analyzed CVE records from the National Vulnerability Database, CVE Details, OpenCVE, and CISA’s Known Exploited Vulnerabilities catalog for 16 router manufacturers over the past decade.
Total CVEs by Manufacturer
The chart tells the story at a glance. Consumer brands — shown in red — dominate the left side with hundreds of CVEs each. D-Link leads with roughly 500 documented router vulnerabilities over 10 years, followed by Netgear’s consumer line (Nighthawk, Orbi, etc.) at approximately 450, and TP-Link at around 409. Even smaller consumer brands like Tenda (~200) and ASUS (~150) dwarf the enterprise brands that 5Gstore sells.
Those green bars? That’s Cradlepoint (10 CVEs), Peplink (10), Inseego (9), Sierra Wireless (25), and Netgear’s ProSAFE enterprise line (38). Over the entire decade.
The average consumer router brand in our study had 217 CVEs over 10 years. The average enterprise brand 5Gstore sells had 18. That’s a 12-to-1 ratio.
Critical and High Severity CVEs
This chart narrows the focus to the vulnerabilities that matter most — the Critical and High severity CVEs that could let an attacker take over your router remotely. The pattern holds. Consumer brands have between 30 and 245 critical-plus-high CVEs each. Enterprise brands carried by 5Gstore? Between 4 and 19.
D-Link’s 245 severe vulnerabilities mean that, on average, researchers found roughly two serious, remotely exploitable flaws in D-Link routers every single month for a decade. TP-Link’s 205 critical-and-high CVEs aren’t far behind.
CVE Trends Over Time
The trend lines are revealing. Consumer router CVE discoveries surged between 2019 and 2023 as security researchers and nation-state hackers increasingly targeted home and small-business networking equipment. TP-Link CVEs peaked in 2023-2024, coinciding with the discovery of multiple botnets actively exploiting their routers.
Meanwhile, Cradlepoint and Peplink barely register on the chart — their lines hug the bottom, typically showing zero to two CVEs per year.
Severity Breakdown
The stacked severity chart shows that consumer brands don’t just have more CVEs — they have proportionally more severe ones. The deep red (Critical) and orange-red (High) segments are substantial across all consumer brands. For enterprise brands like Cradlepoint, Peplink, and Inseego, the bars are so small they’re almost invisible.
A Note on Cisco and Juniper
You’ll notice that Cisco (559 CVEs) and Juniper (220 CVEs) — both enterprise brands — actually have very high CVE counts. This deserves context. Cisco and Juniper run some of the most widely deployed networking infrastructure on the planet. Their IOS/IOS-XE and JunOS operating systems power millions of devices across Fortune 500 companies, governments, and internet service providers worldwide.
Their high CVE counts reflect several factors: enormous product portfolios, intense scrutiny from the global security research community, and — importantly — dedicated Product Security Incident Response Teams (PSIRTs) that actively find, disclose, and patch vulnerabilities with regular cadence. When Cisco publishes a CVE, a patch is typically available the same day.
This is fundamentally different from a consumer brand like Tenda, where 10 critical buffer overflow vulnerabilities are published in a single month and many affected models are either end-of-life or never receive a patch at all.
The TP-Link Spotlight: From Best-Seller to National Security Risk
TP-Link deserves special attention. With an estimated 65% share of the U.S. consumer router market and more than 300 U.S. internet service providers issuing TP-Link routers as their default home equipment, the company’s security track record has enormous real-world consequences.
409 CVEs and Counting
Over the past decade, TP-Link products have accumulated approximately 409 documented CVEs. Many of these are severe. CVE-2023-1389, an unauthenticated command injection flaw in the popular Archer AX21 router (CVSS 8.8), has been actively exploited by at least six different botnet operations. CVE-2025-7850, a critical OS command injection vulnerability (CVSS 9.3), allows complete remote takeover via the WireGuard VPN settings. And CVE-2025-7851 revealed unauthorized root access available through leftover debug code in production firmware.
State-Sponsored Exploitation
What sets TP-Link apart isn’t just the number of vulnerabilities — it’s who has been exploiting them. In May 2023, Check Point Research uncovered “Horse Shell,” a custom malicious firmware implant built specifically for TP-Link routers by a Chinese state-sponsored APT group called Camaro Dragon. The implant was being used to target European foreign affairs entities, providing remote shell access, file transfer capabilities, and encrypted tunneling through compromised routers.
Microsoft’s Threat Intelligence team identified thousands of compromised TP-Link routers operating as part of a botnet designated CovertNetwork-1658 (also known as “Quad 7”). Chinese threat actors have been using this network since at least 2023 to conduct password-spray attacks against Microsoft 365 accounts at U.S. government agencies and defense contractors.
Perhaps most alarming is the Volt Typhoon campaign — a Chinese hacking group that, according to the FBI and CISA, spent at least five years embedded in American critical infrastructure networks, using compromised TP-Link routers for lateral movement and command-and-control.
Government Response
- August 2024: A bipartisan group of 23 members of Congress urged the Commerce Department to ban TP-Link, calling it a “glaring national security issue.”
- Late 2024-2025: The DOJ, Commerce Department, and Department of Defense opened joint investigations into TP-Link’s China ties and pricing practices.
- October 2025: The Texas Attorney General sued TP-Link, alleging the company facilitated Chinese Communist Party access to Americans’ devices.
- March 2026: The FCC banned new consumer-grade routers manufactured abroad — a rule that primarily targets TP-Link and other Chinese-made consumer networking equipment.
TP-Link has responded by claiming it separated its U.S. operations from its China-based parent company in 2024, with headquarters now in California and manufacturing in Vietnam. Security researchers have noted that there’s no public evidence TP-Link was complicit in the attacks — the issue is that their routers’ many vulnerabilities made them easy targets for state-sponsored exploitation.
The FCC’s Foreign Router Ban: What We Know
On March 23, 2026, the FCC announced a ban on all new consumer-grade routers manufactured abroad, adding foreign-made routers to its Covered List. The FCC cited the involvement of foreign-manufactured routers in the Volt Typhoon, Flax Typhoon, and Salt Typhoon cyberattack campaigns as direct motivation.
Key details of the ban:
- It applies to new models only — previously purchased routers are not affected.
- The definition covers any router undergoing major manufacturing stages outside the U.S., regardless of the company’s nationality.
- The Department of Defense or Department of Homeland Security can grant conditional exemptions for foreign routers meeting specific security standards.
What about enterprise routers? This is where it gets murky. The FCC’s language specifically targets “consumer-grade” equipment. Enterprise routers from Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst appear to be exempt, though the exact line between “consumer” and “enterprise” hasn’t been clearly defined.
5Gstore has reached out to the FCC seeking clarification on how consumer-grade vs. enterprise-grade is defined under this rule, and we are awaiting their response. We will update our customers as soon as we have more information. In the meantime, the enterprise brands we carry — Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst — are designed and marketed for business use and, based on our reading of the rule, would not be affected.
For a deeper look at the FCC ruling and its implications, see our companion post: The FCC’s New Router Ban: What Businesses Must Know.
Why Enterprise Routers Are Different
The CVE data reflects a fundamental difference in how consumer and enterprise routers are designed, maintained, and supported. Here’s why the gap exists:
Security-first design. Enterprise router manufacturers like Cradlepoint and Peplink build products for businesses that handle sensitive data. Security is baked into the design process from day one, not bolted on as an afterthought. Features like FIPS 140-2 certification (which Inseego has achieved) require passing rigorous government security standards.
Smaller attack surface. Consumer routers try to be everything to everyone — web servers, media streaming, USB sharing, cloud management, IoT hubs. Each feature is another potential entry point. Enterprise routers focus on doing one thing exceptionally well: providing secure, reliable connectivity.
Active security maintenance. Enterprise vendors provide regular firmware updates, security patches, and long-term support for their products. Consumer routers are often sold and forgotten — the Fraunhofer Institute found in 2020 that 36% of the 127 consumer routers they tested hadn’t received a firmware update in over a year.
Professional monitoring. Enterprise routers like those from Cradlepoint (with NetCloud Manager) and Peplink (with InControl) include centralized cloud management that makes it easy to push updates across your entire fleet and monitor for security issues.
What Should Your Business Do?
1. Audit your network equipment. If you’re running your business on consumer-grade routers — especially from brands like TP-Link, D-Link, or consumer Netgear — understand that you’re operating on hardware with a track record of hundreds of documented security vulnerabilities.
2. Upgrade to enterprise-grade equipment. The brands we carry at 5Gstore — Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst — all have single-digit to low-double-digit CVE histories spanning the last decade. That’s not a coincidence; it reflects fundamentally different approaches to security.
3. Keep firmware updated. Regardless of what router you use, make sure you’re running the latest firmware. Many of the CVEs we counted have patches available — but they only work if you install them.
4. Monitor the FCC situation. The foreign router ban is new, and the details are still being clarified. If you’re currently using foreign-manufactured consumer routers in a business setting, this is a good time to start planning your transition to enterprise equipment.
5. Don’t wait for a breach. The Volt Typhoon campaign operated undetected for five years. The botnets exploiting TP-Link routers have been running since at least 2023. By the time you know your router has been compromised, the damage may already be done.
The Bottom Line
Ten years of CVE data makes the case clearly: consumer routers carry dramatically more security risk than enterprise alternatives. The average consumer brand in our study had 12 times more documented vulnerabilities than the enterprise brands 5Gstore sells. The recent FCC ban on foreign-made consumer routers — driven by real-world nation-state cyberattacks — underscores that this isn’t a theoretical concern.
Your router is the front door to your entire network. The data says it’s worth investing in a good lock.
5Gstore Take
We didn’t build this analysis to scare you — we built it because we think businesses deserve to make network security decisions with real data in front of them, not marketing copy. The 12-to-1 CVE gap between consumer and enterprise routers isn’t something we invented; it comes straight out of NIST’s National Vulnerability Database.
At 5Gstore, we carry Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst — all enterprise-class brands with track records that match the green bars in the charts above. If you’re ready to move off consumer hardware, or just have questions about what the right enterprise solution looks like for your specific use case, reach out to our team. That’s exactly what we’re here for. Also, check out our RouterCVE Report Card.
Frequently Asked Questions
What is a CVE and why does it matter for router security?
CVE stands for Common Vulnerabilities and Exposures — a publicly catalogued security flaw in hardware or software. Each CVE represents a known way an attacker could compromise a device. A router with 400+ CVEs has been documented as hackable in hundreds of distinct ways. The National Vulnerability Database (NVD), maintained by NIST, is the authoritative source for CVE data.
Why do consumer routers have so many more CVEs than enterprise routers?
Consumer routers are built for low cost and ease of use, not security. They pack in many features (media servers, USB sharing, cloud services) that increase the attack surface. Enterprise routers are built for one purpose — secure, reliable connectivity — and are backed by dedicated security teams that actively find and patch vulnerabilities. The difference in security posture is fundamental, not cosmetic.
Are the brands 5Gstore sells affected by these vulnerabilities?
Our enterprise brands — Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst — collectively average around 18 CVEs over 10 years, compared to 217 for the consumer brands in our study. That 12-to-1 gap reflects the enterprise-first design philosophy of the equipment we sell. No router is completely immune to vulnerabilities, but enterprise gear is dramatically less exposed.
Is TP-Link actually banned in the United States?
As of March 2026, the FCC has banned new consumer-grade routers manufactured abroad from receiving FCC equipment authorization — effectively blocking new TP-Link consumer router models from being imported or sold in the U.S. going forward. Existing TP-Link routers already in use are not banned. TP-Link has also moved its U.S. headquarters to California and shifted some manufacturing to Vietnam in response to government scrutiny.
What is Volt Typhoon?
Volt Typhoon is a Chinese state-sponsored cyber espionage group that, according to FBI and CISA advisories, spent at least five years undetected inside American critical infrastructure networks — including energy, water, and transportation systems. The group used compromised consumer routers (many of them TP-Link devices) as relay points to disguise their traffic and move through targeted networks. It’s one of the most significant known cyber intrusions into U.S. infrastructure.
What is the CVSS score and what do the severity levels mean?
CVSS (Common Vulnerability Scoring System) is a standardized scale from 0 to 10 used to rate the severity of security vulnerabilities. Critical (9.0-10.0) means an attacker can likely take complete remote control without a password. High (7.0-8.9) includes serious flaws enabling remote code execution or data theft. Medium (4.0-6.9) requires some preconditions to exploit. Low (0.1-3.9) has limited real-world impact.
Does having more CVEs mean a product is less safe if the vendor patches them quickly?
Partly — this is why Cisco and Juniper’s high CVE counts don’t tell the same story as D-Link or TP-Link’s. Cisco and Juniper have large dedicated security teams that find vulnerabilities proactively and issue patches rapidly. Consumer brands like Tenda or D-Link often publish CVEs for vulnerabilities that never receive patches, or where affected devices have already passed end-of-life support. Patch velocity and commitment to long-term support matter as much as raw CVE count.
How often should I update my router’s firmware?
For enterprise routers, check for firmware updates at least monthly and apply security patches promptly. Most enterprise management platforms (like Peplink’s InControl or Cradlepoint’s NetCloud) make this easy to do across your entire fleet from a single dashboard. For consumer routers, enable automatic updates if available — the Fraunhofer Institute found that 36% of consumer routers tested in 2020 hadn’t been updated in over a year, leaving known vulnerabilities wide open.
What’s the difference between Netgear consumer and Netgear ProSAFE?
Netgear sells two very different product lines under the same brand. Their consumer line (Nighthawk, Orbi, Armor) targets home users and has accumulated approximately 450 CVEs over the past decade. Their ProSAFE line — enterprise switches, managed access points, and business routers — is a separate product category with roughly 38 CVEs over the same period. When evaluating Netgear equipment for business use, the product line matters enormously.
How do I know if my current router is enterprise-grade or consumer-grade?
A few quick indicators: enterprise routers are typically sold through specialized technology retailers (like 5Gstore) rather than big-box stores; they include cloud management platforms (InControl, NetCloud, etc.); they support advanced features like SD-WAN, VPN bonding, and carrier failover; and they come with multi-year support and warranty options. If your router came from Amazon, Best Buy, or your ISP, it’s almost certainly consumer-grade. If you’re not sure, ask us — we’ll give you a straight answer.
Sources and References
- National Vulnerability Database (NVD) — nvd.nist.gov
- CVE Details — cvedetails.com
- OpenCVE — app.opencve.io
- CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog
- Fraunhofer FKIE, “Home Router Security Report 2020” — fkie.fraunhofer.de
- Forescout, “Sierra:21 — Supply Chain Vulnerabilities in IoT/OT Routers” (2023)
- Check Point Research, “Camaro Dragon / Horse Shell Firmware Implant” (May 2023)
- Microsoft Threat Intelligence, “CovertNetwork-1658” Analysis (October 2024)
- CISA/FBI Joint Advisory on Volt Typhoon (2024)
- FCC, “Updates to Covered List: Foreign-Made Consumer Routers” (March 2026) — fcc.gov
- Cybersecurity Dive, “Ballista Botnet Exploits TP-Link Routers” (March 2025)
- Texas Attorney General, “Paxton Sues TP-Link” (October 2025)
Have questions about upgrading your network security? The team at 5Gstore.com is here to help. Contact us to discuss which enterprise router solution is right for your business.
