Multiple Vulnerabilities in Canva Affinity, TP-Link, and HikVision Devices

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a series of vulnerabilities affecting several popular software and hardware products. These include 19 vulnerabilities in Canva Affinity, a graphic and document design tool; 10 vulnerabilities in TP-Link Archer AX53, a dual-band gigabit Wi-Fi router; and one vulnerability in HikVision Ultra Face Recognition Terminals used for authentication. The identified issues range from out-of-bounds read vulnerabilities and type confusion in Canva Affinity to stack-based buffer overflows, out-of-bounds writes, and a misconfiguration vulnerability in TP-Link devices, and a stack-based buffer overflow in Hikvision. Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code, leak sensitive information, or compromise device credentials. All reported vulnerabilities have been patched by their respective vendors.

Attack Chain

1. Initial Access (TP-Link & HikVision): An attacker gains network access to a vulnerable TP-Link Archer AX53 router or HikVision Ultra Face Recognition Terminal.
2. Network Packet Crafting (TP-Link & HikVision): The attacker crafts a malicious network packet specifically designed to exploit a buffer overflow or other vulnerability in the target device’s firmware.
3. Packet Transmission (TP-Link & HikVision): The crafted network packet is sent to the vulnerable device, targeting a specific service or functionality (e.g., the tdpServer SSH port update functionality in TP-Link or SADP XML parsing in HikVision).
4. Vulnerability Trigger (TP-Link & HikVision): Upon receiving the malicious packet, the targeted service attempts to process it, triggering the vulnerability (e.g., a stack-based buffer overflow).
5. Code Execution or Memory Corruption (TP-Link & HikVision): The buffer overflow or other vulnerability allows the attacker to overwrite memory, potentially leading to arbitrary code execution or corruption of critical system data.
6. Initial Access (Canva): An attacker entices a user to open a malicious EMF file using Canva Affinity.
7. File Parsing (Canva): Canva Affinity attempts to parse the EMF file.
8. Exploitation (Canva): The malformed EMF triggers an out-of-bounds read or type confusion vulnerability, allowing the attacker to read sensitive data or execute code.

Impact

Successful exploitation of the reported vulnerabilities could have significant consequences. In the case of Canva Affinity, attackers could potentially disclose sensitive information. For TP-Link devices, attackers could gain control of the router, potentially compromising network security and allowing for man-in-the-middle attacks or other malicious activities. In HikVision devices, successful exploitation leads to remote code execution. Given the widespread use of these devices, a successful widespread attack could impact a large number of users and organizations.

Recommendation

• Apply the latest security patches released by Canva, TP-Link, and HikVision to address the vulnerabilities mentioned in this brief (CVE-2025-64776, CVE-2025-64301, CVE-2025-64733, CVE-2025-66042, CVE-2025-62403, CVE-2025-58427, CVE-2025-62500, CVE-2025-61979, CVE-2025-61952, CVE-2025-47873, CVE-2025-66503, CVE-2026-20726, CVE-2025-66000, CVE-2025-65119, CVE-2026-22882, CVE-2025-66617, CVE-2025-66633, CVE-2025-64735, CVE-2025-66342, CVE-2025-62673, CVE-2025-59482, CVE-2025-62405, CVE-2025-59487, CVE-2025-61983, CVE-2025-62404, CVE-2025-61944, CVE-2025-58455, CVE-2025-58077, CVE-2025-62501, CVE-2025-66176).
• Monitor network traffic for suspicious packets targeting TP-Link Archer AX53 routers using a network intrusion detection system (NIDS). Consider creating custom signatures to detect exploitation attempts related to TALOS-2025-2290, TALOS-2025-2283, TALOS-2025-2284, TALOS-2025-2285, TALOS-2025-2286, TALOS-2025-2287, TALOS-2025-2288, TALOS-2025-2289, TALOS-2025-2294, and TALOS-2025-2291.
• Monitor endpoint systems for processes opening EMF files, particularly if the process is Canva Affinity, to detect potential exploitation of Canva Affinity vulnerabilities (TALOS-2025-2311, TALOS-2025-2310, TALOS-2025-2300, TALOS-2025-2319, TALOS-2025-2321, TALOS-2025-2314, TALOS-2025-2298, TALOS-2025-2299, TALOS-2025-2317, TALOS-2025-2316, TALOS-2025-2318, TALOS-2025-2324, TALOS-2025-2301, TALOS-2025-2320, TALOS-2025-2325, TALOS-2025-2315, TALOS-2025-2313, TALOS-2025-2312, TALOS-2025-2297).