The Office of the Attorney General of Texas has filed a lawsuit against network equipment manufacturer TP-Link, accusing the company of misleading consumers and creating potential national security and data privacy risks. At the center of the case are alleged router firmware vulnerabilities, links to the Quad7 botnet, and claims that TP-Link misrepresented the country of origin of its devices.
Texas Targets TP-Link Over Labeling and Supply-Chain Transparency
The lawsuit follows an investigation launched in autumn 2024. Texas Attorney General Ken Paxton alleges that TP-Link labeled its products as “Made in Vietnam” while key components and supply chains were tightly connected to China. According to the complaint, this mislabeling constitutes deceptive trade practices and obscures the real supply-chain risk profile of the routers.
Texas authorities emphasize that Chinese national security and intelligence laws can require domestic companies and suppliers to assist state authorities in accessing data. Even when final assembly occurs outside China, regulators increasingly scrutinize whether critical hardware, firmware development, or back-end services depend on Chinese entities that may be subject to such obligations.
Why Country-of-Origin Matters for Cybersecurity
In modern networks, supply-chain security is not only about where a device is assembled, but also where its chipsets are manufactured, where firmware is developed, and who operates supporting cloud services. Texas argues that inaccurate country-of-origin claims prevent consumers and organizations from making informed risk assessments, especially for devices that sit at the core of home and small-office infrastructure.
Router Firmware Vulnerabilities and the Quad7 Botnet
A major part of the lawsuit focuses on router firmware security. The Attorney General alleges that TP-Link advertised its routers as secure while shipping devices with known, unpatched vulnerabilities. These flaws were allegedly exploited at scale by threat actors, including Chinese cybercriminal groups.
The filing specifically references the Quad7 botnet (also known as CovertNetwork‑1658 or xlogin), which Microsoft publicly documented in October 2024. According to Microsoft’s reporting, Quad7 is largely composed of compromised home and small-office routers, with a substantial share attributed to TP-Link hardware. Once infected, these routers were used as infrastructure for attacks, including password spray campaigns.
How Password Spray and IoT Botnets Exploit Weak Routers
Password spray attacks involve trying a small set of common or weak passwords across a large number of accounts, instead of brute-forcing a single account. This method often evades basic lockout and anomaly-detection mechanisms, especially when distributed across thousands of compromised routers acting as stealthy proxies.
When router firmware remains outdated, devices become easy targets for IoT botnets. Once compromised, routers can be used for credential attacks, distributed denial-of-service (DDoS), anonymizing malicious traffic, or staging intrusions into corporate networks. Industry analyses consistently show that millions of consumer routers worldwide run old firmware with publicly documented exploits, making this an attractive and resilient platform for cybercrime.
National Security and Privacy Risks from Insecure Routers
Texas argues that routers built with predominantly Chinese components, combined with alleged mislabeling and persistent firmware vulnerabilities, create systemic risks of covert surveillance and mass data collection. A router sits at the chokepoint of a user’s network, processing nearly all internet traffic: login credentials, messaging, banking connections, and access to corporate resources.
If compromised—whether by criminal actors or state-linked groups—a router can enable traffic interception, metadata harvesting, or manipulation of DNS and routing to silently redirect users to malicious infrastructure. This turns what appears to be a basic household device into a strategic asset for attackers.
Through the lawsuit, Texas seeks financial penalties and a court order requiring TP-Link to:
- Clearly and transparently disclose the origin of hardware, firmware development, and supply-chain dependencies;
- Stop collecting and processing user data without explicit, informed consent from consumers;
- Ensure that marketing claims about security match the actual protection level and patching practices of the devices.
Texas’ Broader Crackdown on Consumer Electronics and Data Collection
This is not the first time Texas has pursued major electronics manufacturers over data and privacy issues. In December 2025, the state filed suits against five leading TV vendors — Sony, Samsung, LG, Hisense, and TCL — alleging covert user tracking via Automated Content Recognition (ACR) technology that monitors what viewers watch.
These cases signal a regulatory strategy that treats consumer electronics — TVs, routers, smart devices — as part of a unified digital environment where data collection, telemetry, and security practices must withstand legal and public scrutiny.
TP-Link’s Response: Denial of Ties to the Chinese Government
In comments to BleepingComputer, TP-Link called the accusations unfounded and stated that it will contest them in court. The company insists that neither the Chinese government nor the Chinese Communist Party controls TP-Link, its products, or user data.
TP-Link portrays TP-Link Systems as an independent American entity. According to the company, its founder and CEO Jeffrey Chao resides in Irvine, California and has never been a member of the Chinese Communist Party. TP-Link also claims that critical infrastructure for U.S. customers is located within the United States, with user data hosted on Amazon Web Services servers.
The outcome will depend on judicial assessment of the technical evidence around firmware vulnerabilities and botnet activity, as well as legal questions related to labeling, consumer protection, and privacy compliance.
For users and organizations, this case is a reminder that home and office routers are high-value security assets. It is essential to regularly update firmware, change default passwords, disable unnecessary remote-access features, and prefer vendors with a transparent security and patching record. Enterprises should maintain an inventory of network devices, centralize update management, and monitor for anomalous traffic to reduce the chance that their infrastructure becomes part of the next large-scale botnet.
