Multiple Critical Vulnerabilities Disclosed in TP‑Link Routers, Canva Affinity, and HikVision Devices
What Happened – Cisco Talos disclosed 10 remote‑code‑execution‑type flaws in TP‑Link Archer AX53 routers, 19 issues (including out‑of‑bounds reads and a type‑confusion RCE) in Canva’s Affinity design tool, and several vulnerabilities in HikVision surveillance products. All flaws have been patched by the vendors following Talos’ third‑party disclosure policy.
Why It Matters for TPRM –
- Unpatched router flaws can give attackers footholds inside corporate networks.
- Compromise of a widely used design SaaS (Canva) may expose client assets and intellectual property.
- Vulnerabilities in HikVision cameras affect physical‑security supply chains and can be leveraged for lateral movement.
Who Is Affected – SaaS graphic‑design platforms, consumer/enterprise networking hardware vendors, and video‑surveillance manufacturers; their downstream customers across finance, healthcare, retail, and government.
Recommended Actions – Verify that all affected products have been patched; apply the latest Snort IDS rules; conduct asset inventory to confirm presence of any vulnerable devices or software; update third‑party risk questionnaires to include these CVE references.
Technical Notes –
- Attack vectors: crafted EMF files (Canva), malformed network packets (TP‑Link), and potential firmware exploitation (HikVision).
- CVEs include CVE‑2025‑64776, CVE‑2025‑62673, CVE‑2025‑59482, CVE‑2026‑20726, among others.
- Data at risk: system memory, authentication credentials, and any files processed by the vulnerable components.
Source: Cisco Talos Blog