WDR4300

The TP-Link WDR4300 is one of several consumer SOHO router models identified in the NCSC-FBI advisory of 7 April 2026 as hardware compromised by APT28 (GRU Unit 26165) in its DNS hijacking campaign targeting Microsoft 365 credentials. The model was listed alongside the WR841N, WR840N, ARCHeR C7 and several MikroTik devices as part of the same campaign operational since 2024.

Like other TP-Link SOHO routers in the advisory, the WDR4300 is vulnerable to exploitation due to a combination of the underlying CVE, common deployment with default admin credentials, and infrequent firmware updates in home and small-office environments. The DNS hijacking technique does not require sustained access to the router after initial configuration: once APT28 rewrites the DNS entry, the router silently routes targeted Microsoft 365 authentication domains to an attacker-controlled server until the configuration is corrected.

For UK and US enterprise remote-working policies, any TP-Link model listed in the NCSC advisory should trigger a firmware update and credential change advisory to staff. NCSC's guidance identifies the WDR4300 as an affected model with specific firmware remediation available.