Router CVE decade view

A router is the box at the network edge, where a company or home meets the internet, and a Common Vulnerabilities and Exposures entry is the public record for a flaw in that box. A ten-year review published April 12 found some router brands and product lines racked up repeated high and critical flaws, not one-off mistakes. (5gstore.com) The review said it examined 10 years of records across 16 manufacturers using the National Vulnerability Database, OpenCVE, CVE Details, and the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. The Common Vulnerabilities and Exposures program, run with support from the Cybersecurity and Infrastructure Security Agency and The MITRE Corporation, now lists more than 325,000 records. (5gstore.com) (cve.org) In plain terms, a high or critical score means a bug can let an attacker break in, run code, steal data, or knock a device offline, sometimes from the internet and sometimes without a password. The Cybersecurity and Infrastructure Security Agency says its Known Exploited Vulnerabilities catalog tracks flaws already used in real attacks and should feed patching priorities. (5gstore.com) (cisa.gov) The timing is awkward for anyone still treating routers as set-and-forget hardware. On March 23, 2026, the Federal Communications Commission said new foreign-made consumer routers would be added to its Covered List after an interagency national security determination. (docs.fcc.gov) That same pressure is showing up in active operations and court filings. On April 8, 2026, the Justice Department said Russian military hackers had exploited known vulnerabilities to steal credentials for thousands of TP-Link routers, and Texas sued TP-Link on February 19, 2026 over alleged China-linked hacking risks and deceptive security claims. (justice.gov) (bleepingcomputer.com) The 5Gstore analysis split the market into consumer brands, enterprise brands it sells, and large enterprise vendors. It said the brands it carries — Peplink, Cradlepoint, Teltonika, Semtech, Inseego, Digi, and Katalyst — had single-digit to low-double-digit Common Vulnerabilities and Exposures counts over the decade, while consumer brands clustered in the hundreds. (5gstore.com) That does not mean every low-count vendor is immune, or that every listed flaw was equally dangerous. Ericsson’s Cradlepoint advisories show a mix of patched issues, third-party software exposure, and cases the company rated low severity, including a November 18, 2022 command-injection bulletin and a May 25, 2023 kernel-related notice. (cradlepoint.com) The report’s practical recommendation was not to build a giant asset database first. It said teams should keep a short register for each edge device with the model, firmware update path, support owner, and known replacement, so old routers do not sit in service after patch support fades. (5gstore.com) That turns the router back into what it is: not a commodity plastic box, but an exposed control point with a software life cycle. The decade view says the safest buying question is no longer just speed or price, but who patches the box, how long they patch it, and who owns replacing it when that stops. (5gstore.com)