Texas Sues TP-Link Over Alleged Security Risks and Supply Chain Deception

Texas has filed a lawsuit against networking manufacturer TP-Link Systems, accusing the company of misleading consumers about the security and origins of its routers while exposing users to exploitation by Chinese state-backed threat actors. 

The complaint alleges that TP-Link marketed its devices as secure and labeled them “Made in Vietnam,” despite sourcing nearly all components from China and failing to prevent firmware vulnerabilities from being abused in cyber operations.

“Behind TP-Link’s ‘Made in Vietnam’ stickers is a supply chain deeply entrenched in China, where nearly all of TP Link’s components are sourced before being shipped to Vietnam for mere final assembly,” said the Texas Attorney General in the lawsuit.

Geopolitics and Router Vulnerabilities

The lawsuit highlights how consumer and small-business networking hardware can evolve from a routine IT purchase into both a cybersecurity and national security concern. 

According to the complaint, Chinese law permits authorities to compel companies with Chinese supply chain ties to cooperate with government intelligence efforts. 

Texas Attorney General Ken Paxton argues that TP-Link’s alleged failure to clearly disclose the origin and sourcing of its products prevented consumers from fully understanding potential geopolitical and data security implications.

Beyond supply chain transparency, the suit cites a history of security vulnerabilities in TP-Link routers, some of which have been actively exploited in real-world attacks. 

The complaint alleges that firmware flaws were leveraged by Chinese state-linked threat actors to build botnet infrastructure and conduct credential-theft campaigns. 

Microsoft reported that the Quad7 botnet (also tracked as CovertNetwork-1658 or xlogin) was constructed largely from compromised home and small-business routers, many of them TP-Link devices, and used to carry out password-spray attacks and other malicious operations.

TP-Link has denied the allegations. In a statement to BleepingComputer, a company spokesperson described the claims as “without merit,” asserting that the Chinese government does not exercise ownership or control over the company, its products or its user data. 

The spokesperson further emphasized that TP-Link Systems Inc. operates as an independent American company, with core operations based in the United States and U.S. user networking data stored on AWS infrastructure. 

The company said it intends to “vigorously defend” its reputation as a provider of secure connectivity.

Hardening the Network Edge

As edge devices, routers can introduce meaningful risk if misconfigured, unpatched or inadequately monitored.

• Keep router firmware patched, replace end-of-life hardware and verify patches are successfully applied across all devices.
• Restrict administrative access by disabling internet-facing management interfaces, limiting access to trusted IP ranges and requiring VPN-based or segmented management networks.
• Harden configurations by disabling unnecessary services, legacy protocols and UPnP, enforcing encrypted management access and changing all default credentials to strong, unique passwords with MFA where supported.
• Segment critical systems from edge devices and isolate consumer-grade routers from sensitive enterprise assets to reduce lateral movement risk.
• Enable continuous monitoring through IDS/IPS or NDR tools, log configuration changes and watch for unusual outbound traffic, DNS anomalies or signs of command-and-control activity.
• Incorporate routers into formal vulnerability management and third-party risk programs, including vendor security reviews, supply chain assessments and periodic penetration testing. 

Collectively, these measures can help limit the blast radius of a compromised device and strengthen overall resilience across the network edge.

Edge Device Security and Vendor Risk

The outcome of Texas’ lawsuit against TP-Link could have broader implications for how networking vendors disclose supply chain details and address firmware security risks. 

As regulators increase scrutiny of foreign-linked technology providers, organizations may need to look beyond price and performance when selecting infrastructure hardware. 

In an environment where edge devices can serve as gateways for large-scale compromise, proactive governance and continuous oversight will be essential to maintaining trust and network resilience.

This is one reason why organizations are leveraging zero-trust solutions to continuously verify access across users, devices and infrastructure.