TP-Link Systems Inc. faces a lawsuit from the state of Texas alleging deceptive marketing and security failures in its router products.
The complaint claims the company misled consumers about both device security and supply chain origins, exposing users to exploitation by Chinese state-backed actors.
Ken Paxton argues TP-Link labeled routers Made in Vietnam while sourcing nearly all components from China, limiting assembly in Vietnam to final stages.
According to the filing, consumers did not receive clear disclosure about sourcing practices or associated geopolitical exposure. The Attorney General stated that behind the Made in Vietnam labeling sits a supply chain entrenched in China.
The lawsuit frames consumer networking hardware as more than commodity IT equipment.
It positions routers used by households and small businesses as potential national security exposure points when supply chain transparency and firmware integrity fall short.
Chinese law, the complaint notes, permits authorities to compel companies with supply chain ties to support intelligence efforts.
Beyond origin labeling, Texas cites a record of firmware vulnerabilities in TP-Link devices. Some of these flaws were exploited in active campaigns.
The complaint alleges state-linked Chinese threat actors leveraged router weaknesses to construct botnet infrastructure and conduct credential-theft operations.
Microsoft reported that the Quad7 botnet, also tracked as CovertNetwork-1658 or xlogin, relied heavily on compromised home and small-business routers, including TP-Link devices.
Operators used the botnet to execute password-spray attacks and related intrusion activity.
According to Beinsure analysts, routers with weak patch management cycles create persistent footholds for credential harvesting at scale.
TP-Link rejected the allegations. In a statement to BleepingComputer, a company spokesperson described the claims as without merit and said the Chinese government does not control the company, its products or its data.
The spokesperson stated that TP-Link Systems Inc. operates as an independent American company with core operations in the United States and that U.S. user networking data resides on AWS infrastructure.
The company said it plans to defend its position in court. The case now moves into litigation, where supply chain documentation, firmware security practices and disclosure standards will likely receive close examination.
