The United States government is reportedly advancing plans to prohibit the sale of networking equipment from TP-Link Systems, a move that could significantly reshape the consumer router market while underscoring persistent national security concerns tied to global supply chains. The proposed ban, supported by several federal departments, centers on allegations of the company’s potential vulnerability to influence from the Chinese government, despite TP-Link’s assertions of independence.
Officials within the U.S. Department of Commerce have reportedly concluded that products from TP-Link Systems, a company estimated to hold a substantial market share among home users and small businesses, pose a risk due to their handling of sensitive American data. This conclusion, initially reported by The Washington Post, has ignited a debate over the origins and security of common household technology. TP-Link Systems, which claims headquarters in California and manufacturing in Vietnam, vigorously disputes these allegations. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond,” said Ricca Silverio, a spokeswoman for the company, in a statement. The company also states that it fully separated from China-based TP-Link Technologies three years ago and that it directly owns and operates engineering, design, and manufacturing capabilities in China without Chinese government supervision.
TP-Link’s prevalence in the market is largely attributed to its competitive pricing and consistent performance, making its devices a staple for internet service providers (ISPs) that bundle routers with their services, as Wired observed in February 2025. However, concerns intensified in August 2024 when the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party called for an investigation into TP-Link devices. In a letter to the Commerce Department, lawmakers warned of “TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law.”
These legislative concerns are bolstered by research from cybersecurity firms. Check Point Research, in May 2023, detailed a malicious firmware implant used by the Chinese state-sponsored hacking group “Camaro Dragon“ (more on state-backed hacking) on some TP-Link routers to target European foreign affairs entities. Similarly, Microsoft reported in October 2024 tracking a network of compromised TP-Link small office/home office routers that Chinese state-sponsored groups, including “Storm-0940,” have exploited for password spraying attacks since 2021. TP-Link counters that many competitors also source components from China and have faced vulnerabilities in their products.
Beyond specific company affiliations, the incident highlights a broader industry challenge: many consumer-grade routers ship with security defaults that users often neglect to change. Basic hygiene, such as altering default passwords and updating firmware, is critical but often overlooked, leaving devices susceptible to compromise by botnets and other threats. While newer mesh router systems from brands like Amazon’s Eero and Netgear’s Orbi increasingly automate these steps, less expensive traditional routers still largely rely on users to manually manage updates.
For those wary of vendor-specific vulnerabilities or seeking greater control, open-source firmware alternatives like OpenWrt or DD-WRT offer enhanced features and configurability, and many TP-Link routers are compatible. While these may not address hardware-specific flaws, they can mitigate common software weaknesses. Regardless of brand, upgrading routers more than four or five years old is often advisable for both performance and security reasons. For devices provided and managed by an ISP, users should always consult their provider before attempting any modifications.