TP-Link, the Chinese-founded router manufacturer, is making a bold play to secure an FCC exemption from the foreign-made router ban by emphasizing its U.S. operations and downplaying its Chinese origins. But new data reveals a troubling TP-Link security record that raises serious questions about whether exemptions should be granted based on nationality alone.
TP-Link’s FCC Exemption Strategy
In meetings with FCC officials last Thursday, TP-Link’s legal team stressed that the company is “a US company, with headquarters in Irvine, California.” This positioning represents a significant shift from the company’s Chinese roots, where it was founded in Shenzhen in 1996.
The company completed its spin-off from Chinese operations in 2024, with founder and CEO Jeffrey Chao and his wife now residing in California. According to Bloomberg, Chao is seeking U.S. permanent residency through the Trump Gold Card program, which requires a $1 million payment.
TP-Link’s exemption request follows successful applications by U.S.-based Netgear and Adtran, who received 18-month reprieves from the router ban. The company argues that maintaining “innovation, competition, and consumer choice” in the router market requires their continued participation.
The Security Reality: 1,166 CVEs Tell a Different Story
While TP-Link claims its “routers are safe and secure” and that publicly available data places them “on par with or ahead of other major industry players,” the numbers tell a starkly different story. According to the CVE Report Card, TP-Link has accumulated an alarming 1,166 Common Vulnerabilities and Exposures (CVEs) over the past decade.
This massive vulnerability count places TP-Link among the worst performers in router security, with issues ranging from remote code execution flaws to authentication bypasses. The high CVE count indicates systemic security problems that go far beyond occasional bugs or oversights.
For context, enterprise-focused manufacturers like Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst typically maintain far lower CVE counts through rigorous security testing and rapid patch deployment. The stark contrast highlights why security-conscious enterprises choose proven enterprise solutions over consumer-grade alternatives.
Beyond Nationality: Why Security Track Records Matter
The FCC’s conditional approval process requires disclosure of ownership structure, foreign government support, and executive nationality. However, these bureaucratic checkboxes may be missing the most critical factor: actual security performance in the field.
TP-Link’s 1,166 CVEs represent real vulnerabilities that have exposed millions of users to potential attacks. Recent incidents include CISA warnings about TP-Link devices being compromised by state-sponsored actors, demonstrating that theoretical security concerns have materialized into actual threats.
The company’s consumer focus may explain some vulnerability accumulation, as consumer devices often lack the rigorous security frameworks required for enterprise deployments. However, 1,166 CVEs suggests deeper systemic issues with security development practices.
5Gstore Take: Security Should Trump Politics
While TP-Link’s corporate restructuring addresses some regulatory concerns, the company’s massive CVE accumulation raises fundamental questions about product security that transcend nationality issues. With 1,166 documented vulnerabilities, TP-Link’s security track record speaks louder than corporate headquarters addresses.
The FCC should consider security performance metrics alongside ownership structures when evaluating exemption requests. A company’s ability to secure its products matters more than where its executives reside, especially when those products guard critical network infrastructure.
For businesses seeking reliable connectivity solutions, the CVE data provides clear guidance: choose manufacturers with proven security track records rather than gambling on companies with extensive vulnerability histories, regardless of their corporate domicile.
What This Means for Network Security
The TP-Link exemption debate highlights a broader challenge in network security: balancing market access with security requirements. While consumer router markets may tolerate higher vulnerability rates in exchange for low prices, enterprise and critical infrastructure deployments demand higher security standards.
The FCC’s foreign router ban represents an attempt to address security concerns through nationality restrictions, but TP-Link’s restructuring shows how easily such measures can be circumvented. More effective approaches might focus on security certification requirements, mandatory vulnerability disclosure timelines, and penalties for excessive CVE accumulation.
For network administrators, the lesson is clear: evaluate router security based on documented performance rather than marketing claims or corporate restructuring announcements.
FAQ
How many CVEs does TP-Link have compared to other router manufacturers?
TP-Link has accumulated 1,166 CVEs over the past decade, significantly higher than most enterprise-focused manufacturers. Enterprise router companies typically maintain much lower CVE counts through rigorous security testing and rapid patch deployment processes.
What is a CVE and why does it matter for router security?
A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed security vulnerability with a unique identifier. High CVE counts indicate systematic security problems that can expose networks to attacks, data breaches, and unauthorized access.
Will TP-Link’s corporate restructuring improve its security record?
Corporate restructuring addresses regulatory and ownership concerns but doesn’t directly impact product security practices. TP-Link’s security improvements will depend on changes to development processes, security testing, and vulnerability management rather than headquarters location.
Should businesses avoid TP-Link routers due to security concerns?
The 1,166 CVE count suggests significant security risks that make TP-Link unsuitable for enterprise or security-sensitive deployments. Businesses should consider manufacturers with proven security track records and lower vulnerability counts for critical network infrastructure.
How can I check my router’s security record before purchasing?
Use resources like the 5Gstore CVE Report Card to research vulnerability counts and security track records before making router purchases. Compare CVE numbers, patch response times, and security certifications across different manufacturers.
