TP-Link makes 65% of the routers Americans buy. The US government is investigating whether to ban them. Commerce, Defense, and Justice departments — all three probing one router company. TP-Link is headquartered in Shenzhen, China, subject to China's National Intelligence Law. Your router sees every device on your network, every website you visit, every connection you make. Two-thirds of American homes chose to put a Chinese government-obligated device between their entire digital life and the internet. The device that sees everything in your home is made by a company legally required to show everything to Beijing. The FCC banned TP-Link routers. March 23, 2026. Not just TP-Link — all foreign-made routers, but TP-Link holds 65% of the American market, so the impact is theirs. The reason: Volt Typhoon, Flax Typhoon, Salt Typhoon — Chinese state-sponsored cyberattack campaigns that used home routers to infiltrate American communications and critical infrastructure. Microsoft found thousands of compromised TP-Link routers in the attack chain. Texas sued TP-Link for allowing Beijing access to American devices. The router sitting in two-thirds of American homes was a weapon in a cyberwar most Americans didn't know was happening.
What they claim: TP-Link markets its routers as providing "reliable and secure" home networking.
What we found: In 2024, the US government opened an investigation into TP-Link over national security concerns, with Commerce, Defense, and Justice departments all probing the company. Lawmakers called for a ban on TP-Link routers in US government facilities. TP-Link is headquartered in Shenzhen, China (though it established a US entity in 2024). China's National Intelligence Law requires Chinese companies to cooperate with state intelligence. TP-Link holds approximately 65% of the US consumer router market. A router from a Chinese company subject to Chinese intelligence law sits between your entire home network and the internet, and two-thirds of American homes that buy a router choose this one.
What they claim: TP-Link continues to sell routers in the US market as reliable home networking equipment.
What we found: On March 23, 2026, the FCC banned all new foreign-made consumer routers from receiving equipment authorizations, citing the Volt, Flax, and Salt Typhoon cyberattacks that used foreign-produced routers to attack American communications and critical infrastructure. TP-Link, with 65% of the US consumer router market, was most impacted. A Microsoft analysis identified thousands of compromised TP-Link routers used for cyberattacks against government agencies. Texas Attorney General Ken Paxton separately sued TP-Link for deceptive marketing and "allowing Beijing to access American consumers' devices." TP-Link is seeking conditional FCC approval by promising US manufacturing. The router in two-thirds of American homes was used in state-sponsored cyberattacks and banned by the FCC.
What they claim: TP-Link states it takes "security seriously" and regularly updates firmware.
What we found: TP-Link routers have had numerous critical CVEs. CVE-2023-1389 was a command injection vulnerability in the Archer AX21 that was actively exploited by the Mirai botnet to recruit routers into DDoS attacks. CISA added it to the Known Exploited Vulnerabilities catalog. Multiple TP-Link models have been found with hardcoded credentials, default admin passwords, and firmware update mechanisms that don't verify signatures — meaning a compromised update server could push malicious firmware to millions of routers. Security researchers have documented that some TP-Link routers phone home to Chinese servers even after factory reset.
What they claim: TP-Link's Tether app allows users to "easily manage your network."
What we found: The TP-Link Tether app collects device names, MAC addresses, connection times, and bandwidth usage for every device on your network. This data is sent to TP-Link's cloud. Combined with the router's DNS logs, TP-Link can build a complete profile of every device in your home and every website anyone visits. The app requires a TP-Link Cloud account for remote management. A 2023 analysis found the Tether app communicated with analytics services including Google Analytics and Facebook SDK, meaning your home network topology is shared with advertising companies through the management app.