Skip to content
.ca
sign in
4 minhigh

TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities

Cisco Talos disclosed a series of vulnerabilities affecting TP-Link routers, Adobe Photoshop, OpenVPN, and Norton VPN. Notably, a privilege escalation flaw in Norton VPN (CVE-2025-58074) was exploited in the wild before a patch was available, while the TP-Link flaws allow for remote code execution via command injection and buffer overflows.

Sens:ImmediateConf:highAnalyzed:2026-05-19Google

Authors: Kri Dontje, Cisco Talos

Privilege EscalationTP-LinkVulnerabilityOpenVPNCommand Injection

Source:Cisco Talos

IOCs · 8

Detection / HunterGoogle

What Happened

Security researchers have discovered several software flaws in popular products including TP-Link Wi-Fi routers, Adobe Photoshop, OpenVPN, and Norton VPN. Users of these products could be at risk of hackers taking control of their devices or accessing sensitive information. Notably, the flaw in Norton VPN was already being used by attackers before a fix was created. Most of the affected companies have released updates to fix these issues. Users should immediately update their TP-Link routers, Photoshop, OpenVPN, and Norton VPN software to the latest versions.

Key Takeaways

  • Cisco Talos disclosed multiple vulnerabilities across TP-Link, Adobe Photoshop, OpenVPN, and Norton VPN.
  • A zero-day privilege escalation vulnerability (CVE-2025-58074) was discovered in-the-wild in Gen Digital's Norton VPN client.
  • Eight vulnerabilities were found in the TP-Link Archer AX53 router, primarily involving OS command injection and buffer overflows leading to remote code execution.
  • All vulnerabilities except the Norton VPN flaw have been patched by their respective vendors.

Affected Systems

  • TP-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553)
  • Adobe Photoshop installer (Photoshop_Set-Up.exe 2.11.0.30)
  • OpenVPN 2.6.x and 2.8_git
  • Gen Digital Norton VPN client

Vulnerabilities (CVEs)

  • CVE-2026-30814
  • CVE-2026-30815
  • CVE-2026-30816
  • CVE-2026-30817
  • CVE-2026-30818
  • CVE-2026-34632
  • CVE-2026-35058
  • CVE-2025-58074

Attack Chain

Attackers can exploit the TP-Link vulnerabilities by sending specially crafted network packets or uploading malicious configuration files to achieve remote code execution or arbitrary file reads. For the Photoshop and Norton VPN vulnerabilities, a local low-privileged user can replace files during the Microsoft Store installation process to escalate privileges. The OpenVPN vulnerability allows an attacker to cause a denial of service by sending a sequence of malicious packets targeting the TLS Crypt v2 Client Key Extraction functionality.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: Yes
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Snort.org

Snort coverage is available to detect the exploitation of these vulnerabilities via rule sets downloaded from Snort.org.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect privilege escalation attempts (file replacements during installation) for Photoshop and Norton VPN, but may have limited visibility into the TP-Link router exploitation. Network Visibility: High — Network sensors (like Snort) can detect the crafted packets targeting the TP-Link buffer overflow and the OpenVPN DoS vulnerabilities. Detection Difficulty: Moderate — Detecting network-based exploits requires updated IDS/IPS signatures, while catching the local privilege escalation requires monitoring file operations during specific installation windows.

Required Log Sources

  • Network IDS/IPS logs
  • Endpoint process creation logs
  • File integrity monitoring logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for unexpected file modifications or deletions occurring in the context of Microsoft Store application installations, particularly for Norton VPN and Adobe Photoshop.File integrity monitoring, EDR file eventsPrivilege EscalationMedium
If you have visibility into network traffic, consider hunting for anomalous configuration file uploads to TP-Link Archer AX53 routers, specifically targeting OpenVPN or dnsmasq restore functions.Network traffic, Web application firewall logsInitial AccessLow

Control Gaps

  • Lack of network segmentation for IoT/router devices
  • Insufficient monitoring of local installation processes

Key Behavioral Indicators

  • Unexpected child processes spawned by router web services
  • File replacement events during .exe installer execution

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Apply the latest vendor patches for TP-Link Archer AX53, Adobe Photoshop, and OpenVPN immediately.
  • Investigate any endpoints running Gen Digital's Norton VPN for signs of compromise, as the vulnerability was exploited in the wild.

Infrastructure Hardening

  • Ensure management interfaces for routers and network devices are not exposed to the public internet.
  • Deploy updated Snort rules to network intrusion detection/prevention systems to block exploitation attempts.

User Protection

  • Restrict standard users from installing unapproved software from the Microsoft Store where possible.
  • Ensure EDR solutions are actively monitoring file system changes during software installations.

Security Awareness

  • Remind users to only install software from approved corporate repositories rather than public app stores when applicable.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1068 - Exploitation for Privilege Escalation
  • T1498 - Network Denial of Service

Related