That Cheap Router on Your Desk? The US Just Called It a National Security Threat.
Two days ago, the Attorney General of Texas filed a lawsuit against TP-Link Systems Inc., the company behind the little router blinking away in your server cupboard, your reception desk, or your home office. The claim: that TP-Link marketed its products as secure while Chinese state-sponsored hackers were actively using compromised TP-Link routers to attack Western organisations.
This wasn't a surprise to anyone paying attention. It was the latest salvo in a two-year regulatory offensive that has seen three US federal departments open investigations, a proposed nationwide sales ban, and now the first of what Texas promises will be several lawsuits against CCP-aligned technology companies.
The UK has done precisely nothing.
Let me walk you through what is actually happening, why it matters to you sitting in Horsham or Halifax or Harrogate, and what you should do about it today.
TP-Link Is Everywhere, and That Is Exactly the Problem
TP-Link is the world's bestselling router brand. In the United States, lawmakers put the figure at roughly 65% of the Wi-Fi router market. TP-Link itself disputes that number and puts it closer to 36%, but even their own figures make them the dominant player by a considerable margin. Their business line, Omada, is actively marketed to UK SMEs as an affordable, enterprise-grade networking solution.
This dominance is not accidental. The US Department of Justice has opened a criminal antitrust investigation into whether TP-Link has been selling routers below cost to eliminate American competitors, with potential corporate fines of up to $100 million. Whether or not that investigation leads anywhere, the effect is clear: TP-Link got cheap by getting big, got big by being cheap, and is now in more offices and homes than any other brand on earth.
That makes it an extraordinarily attractive target for state-sponsored hackers. When you compromise one brand's firmware, you potentially own a significant slice of the world's network edge.
The Hackers Didn't Wait for the Lawyers
While US politicians were writing strongly worded letters in August 2024, Chinese state-sponsored hackers were already building their attack networks.
The operation is called the Quad7 botnet, also known as CovertNetwork-1658 by Microsoft. At its peak, it had compromised over 16,000 devices worldwide, with TP-Link WR841N and Archer C7 routers forming the majority of the infected fleet. The attackers exploit two chained vulnerabilities: first, an unauthenticated file disclosure flaw to steal credentials from the device, then a command injection vulnerability to take full control.
Once a router is compromised, the attackers expose a backdoor on TCP port 7777 and a SOCKS5 proxy on port 11288. This turns your business router into an anonymised launchpad for attacks on other organisations, with your IP address appearing in the logs as the attacker.
The group using this infrastructure is Storm-0940, a Chinese state-sponsored threat actor Microsoft documented in detail on 31 October 2024. Their speciality is password-spraying attacks against Microsoft 365 accounts: carefully submitting just one login attempt per account per day to stay below detection thresholds. When they succeed, they use the stolen credentials on the same day, indicating what Microsoft diplomatically describes as "a close working relationship" with the botnet operators. In plain English: the people who built the botnet and the people using it to attack businesses are working together.
This is not theoretical. This is happening to organisations whose staff are using Microsoft 365, which is most of you.
And CISA, the US Cybersecurity and Infrastructure Security Agency, has added at least five TP-Link CVEs to its Known Exploited Vulnerabilities catalogue. For end-of-life products, their guidance is blunt: "Users should discontinue product utilisation." Not "consider upgrading." Discontinue.
What Texas Actually Did, and Why It Matters
On 17 February 2026, Texas Attorney General Ken Paxton filed his lawsuit under the Texas Deceptive Trade Practices Act. The specific allegations are worth reading carefully.
The lawsuit claims that despite TP-Link products being labelled "Made in Vietnam," less than one percent of device components are actually sourced from Vietnam, with nearly all imported from China. It claims a Chinese military company is working to expand TP-Link's manufacturing facilities in Vietnam, which is exactly the kind of thing you do if you want your "not made in China" label to survive regulatory scrutiny. It claims TP-Link marketed its products as secure while firmware was being actively exploited by Chinese state hackers.
Paxton described this as "the first of several lawsuits" against CCP-aligned companies, filed on the same week Texas Governor Greg Abbott updated the state's Prohibited Technologies List to include TP-Link alongside Hisense, TCL, Xiaomi, and Temu. That list functions as a "do not buy, do not deploy" directive for all Texas government networks.
Florida's Attorney General James Uthmeier issued an investigative subpoena to TP-Link in December 2025. The Federal Trade Commission has opened its own investigation into whether TP-Link misled consumers about its China connections following its 2024 corporate restructuring.
TP-Link's defence rests on two pillars. First, they completed a corporate restructuring in 2024 that created TP-Link Systems Inc., a California-incorporated entity with approximately 500 US employees, wholly owned by co-founder Jeffrey Chao and his wife, handling all non-China global sales. Second, they argue that router vulnerabilities are an industry-wide problem, not specific to their products.
Both points have some merit. The corporate restructuring is real. Router security is genuinely an industry-wide disaster. But critics have a sharp response to the restructuring argument: China's National Intelligence Law of 2017 requires all organisations and citizens to "support, assist, and cooperate with national intelligence efforts." TP-Link maintains significant operations and tens of thousands of staff in China. A California incorporation doesn't override Beijing's legal reach into those operations.
And on the industry-wide argument? A May 2025 congressional letter alleged that TP-Link is the only router company that refuses to engage in industry efforts to remediate Chinese state-sponsored botnets. That is rather difficult to defend.
Where the Federal Ban Actually Stands
This is where it gets complicated, and I will be straight with you rather than pretend it's simple.
In late 2024, the US Commerce Department subpoenaed TP-Link. By October 2025, an interagency risk assessment involving Commerce, Defence, and Justice concluded that a sales ban was warranted. Three federal departments backed the finding. The Washington Post reported this in October 2025.
Then, on 12-13 February 2026, the Trump administration paused the proposed ban ahead of an April summit between Trump and Xi Jinping. No formal ban has been enacted as of today.
So the US government simultaneously believes TP-Link poses a national security risk serious enough to warrant a ban, and has decided not to implement that ban because trade diplomacy takes precedence. You can draw your own conclusions about what that says about the sincerity of the security concern versus the commercial one. The security risk does not become smaller because a summit is scheduled.
The UK Is Asleep at the Wheel, Again
The NCSC has issued no advisory naming TP-Link. Parliament has held no debates on the topic. UK retailers continue to sell TP-Link products without restriction or disclosure. The government's response to Chinese-linked technology risk in the consumer and SME networking space is, as of today: silence.
The UK does have the Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force on 29 April 2024. This is vendor-neutral legislation requiring all connected consumer products sold in the UK to ban default passwords, maintain vulnerability disclosure policies, and publish minimum security update periods, with fines of up to £10 million or 4% of global turnover for non-compliance.
The PSTI Act is a good thing. It raises the floor for all consumer IoT devices, including routers. But it is emphatically not a substitute for the kind of specific, intelligence-led risk assessment that led three US federal departments to back a ban. The PSTI Act tells TP-Link to stop shipping routers with the password "admin." It says nothing about firmware architectures that can be remotely exploited by state-sponsored actors, or corporate structures that may be subject to Chinese intelligence law.
We banned Huawei from 5G infrastructure. We have said nothing about the Chinese-manufactured routers running in the 5-to-50-employee businesses that provide services to those same infrastructure operators. That is the supply chain problem I have written about before.
This Is Not Just an American Problem
I want to be precise here, because I have no interest in whipping up panic about something that doesn't directly affect you.
The Quad7 botnet does not care where you are geographically. Storm-0940's password-spraying attacks target Microsoft 365 accounts. If your business uses Microsoft 365, you are a potential target. Storm-0940's documented victims include European organisations. The NCSC's own 2025 Annual Review names Chinese state-sponsored cyber activity as a tier one national security threat to the UK.
The credential theft problem is already critical without adding compromised routers to the mix. Now consider that an attacker with control of your office router can intercept traffic, redirect DNS queries, and conduct man-in-the-middle attacks against your authenticated sessions. Your MFA token arrives. They see it. The firmware implant was waiting for it.
That is not paranoia. Check Point Research documented exactly this kind of firmware-level implant, called Camaro Dragon, in May 2023. The researchers noted it was "firmware-agnostic" and could theoretically affect multiple router brands. But it was found in TP-Link routers first.
State-sponsored actors are patient, persistent, and specifically targeting the supply chains that connect small businesses to larger targets. Your TP-Link router, sitting between the internet and your firm's data, is a rather attractive point of entry.
What You Should Actually Do
I am not going to tell you to rip out every TP-Link device you own by Friday morning. That would be disproportionate, disruptive, and expensive. I am going to tell you to treat this as a planning trigger, not a panic trigger.
First: Know what you have. Conduct a basic network equipment audit. List every router, access point, and switch on your network, who made it, when it was purchased, and when it last received a firmware update. If you cannot answer those questions about your own network, that is the first problem to fix, before you even get to the TP-Link question.
Second: Update firmware immediately. Whatever brand you are running, go to the manufacturer's support page today and check whether your current firmware is the latest version. The vulnerabilities being exploited in the Quad7 botnet are known and patched in current firmware. Running outdated firmware on any brand of router is indefensible in 2026. Schedule quarterly checks going forward.
Third: Change default credentials right now. The PSTI Act is trying to end the default-password era. Do not wait for legislation to force you into this. If your router still has the factory username and password, someone else may already own it. Change them today. Use a password manager to generate and store the credentials. Credential hygiene matters across every system in your business.
Fourth: Disable remote management unless you have a specific operational need for it. Remote management interfaces are the attack surface being exploited. If you are not actively using remote administration, turn it off. The setting is in your router's admin panel under something like "Remote Management" or "WAN Access." Disable it.
Fifth: Segment your network. Your printers, smart TVs, and IoT devices should not be on the same network segment as your business workstations and servers. A compromised IoT device should not be able to reach your accounts system. If your router supports VLANs or a guest network, use them. The same lesson applies to every consumer-grade device you put on your business network.
Sixth: Factor vendor provenance into future purchasing decisions. When you next replace networking equipment, ask your IT provider or MSP what they know about the manufacturer's security practices, where the firmware is built, and how quickly vulnerabilities are patched. "It was cheap" is not a sufficient answer. Neither is "everyone uses them."
How to Turn This Into a Competitive Advantage
Most of your competitors are doing exactly what the UK government is doing: nothing. They are waiting for something to go wrong, or for someone to legislate them into action.
You do not have to wait. You can make vendor security scrutiny part of your standard operating procedure today, and use it as a genuine differentiator when talking to clients who care about where their data goes.
Document your network equipment decisions. When you choose networking hardware based on a considered assessment of security risk rather than purchase price alone, write it down. That documentation becomes evidence of diligent governance, which matters for Cyber Essentials certification, cyber insurance underwriting, and contract due diligence from larger clients.
Make it part of your supply chain security story. If you work with clients in regulated sectors, they are already being asked hard questions about their supply chains. If you can show that you have actively assessed your network infrastructure against nation-state threat intelligence, you are a more attractive partner than a competitor who bought whatever was cheapest on Amazon.
Use the PSTI Act as a baseline, not a ceiling. Tell clients you meet the legal minimum and then describe what you do beyond it. That framing positions you as proactive rather than merely compliant. Compliance without genuine security is theatre, and your clients are increasingly capable of spotting the difference.
How to Sell This to Your Board
If you need to make the case for a network infrastructure review to a board or senior leadership team, here are the arguments that tend to land.
The liability argument: Three US federal departments have concluded that a specific category of networking equipment poses a national security risk significant enough to warrant a sales ban. The US Senate Foreign Relations Committee has called Chinese networking equipment "a clear and present danger." If your firm suffers a breach and it subsequently emerges that you were using equipment subject to this level of documented official concern, your D&O insurers will want to know why you took no action after the risk became public knowledge.
The insurance argument: Cyber insurers are already asking increasingly detailed questions about network architecture and equipment provenance. The underwriters reading your renewal application in 2027 will have read the same headlines you are reading today. Get ahead of their questions rather than scramble to answer them under pressure.
The client retention argument: Your B2B clients, particularly those in professional services, financial services, and healthcare, will begin asking their suppliers about network security practices. Whether triggered by their own regulatory requirements or their own risk assessments, that question is coming. Having a clear, documented answer ready is a commercial advantage.
The cost argument: Replacing networking equipment does not require a wholesale rip-and-replace exercise on a single weekend. It can be planned, budgeted, and executed over a normal hardware refresh cycle. The cost of doing it properly over 18 months is substantially less than the cost of a breach attributed to a device you knew was problematic.
What This Means for Your Business
The TP-Link situation is a useful lens through which to examine a broader question: how much do you actually know about the security posture of the hardware running your network?
Most small businesses have no idea. They bought a router, plugged it in, and have not thought about it since. That was understandable five years ago. It is not understandable now.
The documented exploitation of TP-Link routers by Chinese state-sponsored hackers is not going to stop because the US paused a ban or because the UK has not yet acted. The Quad7 botnet is still operating. Storm-0940 is still spraying passwords. The compromised firmware is still running on devices in offices that have never received a security update since they were unboxed.
You do not need to wait for a government to tell you this is a problem. Three governments' worth of intelligence agencies already have.
