Talos: TP‑Link RCE, OpenVPN DoS; Photoshop, Norton installer bugs

On May 19, 2026, Cisco Talos published a vulnerability advisory detailing a set of flaws that affect a TP‑Link router, Adobe Photoshop installer, OpenVPN, and Gen Digital’s Norton VPN installer. Talos provided technical details, CVE identifiers, and detection indicators on its intelligence site.

The most serious set of flaws targets the TP‑Link Archer AX53 (firmware v1.3.1 Build 20241120 rel.54901(5553)). Talos identified a stack‑based buffer overflow in the router’s tmpServer opcode (CVE‑2026‑30814) that can be triggered by specially crafted network packets and could permit remote code execution. The team also found seven separate vulnerabilities in the router’s configuration restore routines for OpenVPN and dnsmasq. Those configuration flaws include OS command‑injection and external configuration control issues (CVE‑2026‑30815 through CVE‑2026‑30818 and related entries) that can be triggered by uploading a malicious configuration file. Talos reported that the TP‑Link issues were patched by the vendor under Cisco’s disclosure policy.

Talos reported a privilege‑escalation weakness in the Adobe Photoshop installer distributed through the Microsoft Store. The advisory names the vulnerable installer as Photoshop_Set‑Up.exe version 2.11.0.30 and assigns CVE‑2026‑34632. A low‑privilege user can replace files during installation, which can enable elevation of privileges on the host.

An unrelated reachable assertion vulnerability affects OpenVPN’s TLS Crypt v2 Client Key Extraction path. Talos assigned CVE‑2026‑35058 to the issue in OpenVPN 2.6.x and bleeding‑edge 2.8_git builds. The advisory states that a sequence of specially crafted network packets can provoke the assertion and cause a denial of service.

Talos also disclosed a privilege‑escalation issue in Gen Digital’s Norton VPN installer from the Microsoft Store (CVE‑2025‑58074). The Norton advisory describes a condition where a low‑privilege user can replace installation files during setup, possibly enabling deletion of arbitrary files and subsequent privilege escalation. Talos noted that the Norton vulnerability was observed in use before a vendor patch was available; other vendor fixes were deployed under Cisco’s coordinated disclosure process.

The advisory lists Snort rules and other detection indicators that operators can use to identify exploitation attempts. Talos described the discovery methods as a combination of network‑level fuzzing and review of configuration restore logic. The advisory and accompanying technical writeups are available on the Talos Intelligence site for network and endpoint defenders to review.