In a widely predicted move, the FCC has given conditional approvals to two US firms that manufacture their routers abroad, meaning that they can continue to sell certain products. There is no news on success for vendor TP-Link, a sign that the firm remains in the hot seat. The router manufacturer was named and shamed by a separate US government agency, the NSA, this week for vulnerabilities in its routers. While more vendors will receive approval in the coming weeks and months, TP-Link is unlikely to be one of them.
Netgear received approval for around 20 products, and Adtran got approval for its Service Delivery Gateway (SDG) class routers.
As a reminder, last month, the FCC banned the sale of all foreign-made consumer routers. This included equipment from US companies that manufacture equipment overseas. The FCC did this by adding all consumer-router makers to the ‘Covered List’, a list of banned equipment manufacturers in the US. The move also indicated that all consumer routers are manufactured abroad, which shows how much of an uphill struggle the sector has if the US government expects it to onshore production.
Vendors are allowed to apply for exemptions via the US Department of War and the Department of Homeland Security, and they must show a willingness to move some element of manufacturing to the US – which is probably more political showboating than anything else.
The list of information required for conditional approval is exhaustive and includes a thorough description of corporate structure, supply chain, and “a detailed, time-bound plan to establish or expand manufacturing in the United States for the router.”
The action did not affect any previously purchased routers, meaning that consumers can continue to use routers they already own. In addition, the sale of existing stock can continue. The Covered List restrictions “only apply to new models that have not yet received FCC equipment authorization,” Attorney Advisor to the FCC Chris Smeenk told Wireless Watch via email.
“Foreign-produced routers that received equipment authorization before March 23, 2026, may continue to be imported, sold, and used in the United States.”
This news takes the heat out of the announcement somewhat, since it will not entail an immediate interruption of the US router economy.
Security flaws
There was more consumer router security news last week, when the US National Security Agency (NSA) and the FBI warned US citizens that Russian GRU hackers were exploiting vulnerable routers to steal sensitive information.
In this case, TP-Link received another bashing, since its routers containing CVE-2023-50224 were named as a point of vulnerability. More on the demonization of TP-Link later.
The NSA described how it had “disrupted a GRU network of compromised small-office home-office (SOHO) routers used as part of malicious hijacking operations,” and provided a list of security instructions to US households on how best to protect their networks.
Advice included rebooting routers regularly, replacing end-of-service equipment, and changing default usernames and passwords – all very reasonable stuff.
This is a more realistic way of protecting US consumer networks, by encouraging better cybersecurity hygiene, rather than banning all new consumer routers.
Back to the FCC’s foreign-made router ban: there was some irony in the FCC’s statement announcing the router ban. It described how “malicious actors have exploited security gaps in foreign-made routers to attack American households, disrupt networks, enable espionage, and facilitate intellectual property theft.
Foreign-made routers were also involved in the Volt, Flax, and Salt Typhoon cyberattacks targeting vital U.S. infrastructure.”
This is true, although the “security gaps” referred to here were, infamously, backdoor surveillance elements that US telecom companies were required to install in their enterprise-grade routers, many from Cisco, to allow US law enforcement to monitor calls and messages.
Chinese hackers used these backdoor access points to tap phone calls of US politicians. The weak spots for the state-sponsored attacks from Volt, Flax, and Salt Typhoon, are not widely thought to be consumer routers.
TP-Link in the crosshairs
The intention of the FCC’s router ban looks, primarily, to be an attempt to get TP-Link out of the US market. And secondly, to onboard more manufacturing into the US to boost domestic production and jobs – although this second goal seems much less likely to come to fruition.
The FCC’s ban came a few weeks after the publication of a strident National Cyber Strategy from the Trump administration that signaled a more aggressive approach to protecting US tech and infrastructure.
“By disrupting adversaries’ cyber campaigns, and making our networks more defensible and resilient, we will unleash innovation, accelerate economic growth, and secure American technology dominance,” the strategy says.
Attacking consumer router vendor TP-Link is central to the goal of protecting US networks.
Historically, TP-Link has been a dominant vendor in the US, but its role has diminished as the US government turned up the heat. The move to ban foreign-made vendors will likely be the final blow to snuff out TP-Link operations in the US.
The US government is wary of a privately-owned company from China with a key role in its consumer router market.
It has long been trying to prove conclusively that TP-Link routers are more vulnerable to attack or control from the People’s Republic of China (PRC).
But the reality is that TP-Link routers are no more vulnerable than any other product on the market. It is a competitive product and retains support from analysts, even after the FCC ban.
The main threat, which could make TP-Link products more vulnerable, is that bad actors are accessing and tampering with the kit in production – hence the new concern for items manufactured in China, in a ‘supply-chain attack.’
This, of course, extends the sweep of the US government oversight to any company, even a US-owned one that manufactures in China.
In the last two years, US routers have been the subject of targeted attacks from Flax, Volt Typhoon and Salt Typhoon hackers, associated with the Chinese government. Many different brands of routers, enterprise and consumer, were hacked, including TP-Link.
However, the FCC’s ban will, for a time, likely weaken the security of consumer routers. The FCC ruling could slow the adoption of more secure technology because consumers will hold on to existing devices, which often use outdated firmware, default credentials, and poor encryption standards.
TP-Link’s attempt to assimilate
TP-Link US is privately owned by one of its two Chinese co-founders, Jeffrey (Jianjun) Chao.
Since it is privately owned, it does not share details of its finances and production figures. It was the top seller of WiFi routers internationally by unit volume for 12 years up to 2022.
The US entity was hived off from the Chinese firm in 2024, and TP-Link US says that it is now completely separate from the Chinese entity, called TP‑Link Technologies Co.
“TP-Link has split from and no longer has any affiliation with TP-LINK Technologies Co., Ltd., which serves the mainland Chinese market. Despite having similar names, these companies have entirely different ownership, management, and operations,” TP-Link writes on its website.
The mechanisms of the business remain private. TP-Link says that it manufactures its products in a factory in Vietnam, an ostensibly communist country with close ties to China – although the components for its parts are thought to be manufactured in China.
TP-Link’s market share has been falling dramatically in the last two years, likely a reflection of the efforts from the US government to out the squeeze on TP-Link.
In late 2024, three US government agencies were investigating TP-Link routers. In early 2025, a Congressional committee urged Americans to remove Chinese-made wireless routers from their homes, pinpointing TP-Link as a risk.
The US is a slightly unusual market. Its ISPs typically charge their customers rental fees, for CPE provided as part of a broadband contract. Consequently, many broadband customers choose to avoid the rental fee and purchase their own WiFi equipment from retail channels.
However, TP-Link no longer features in the top three router manufacturers provided by major broadband providers AT&T, Charter, Comcast, and Verizon – which may have stopped supplying TP-Link following political pressure. TP-Link’s current share of this market is not known, but it is much smaller than its share of the direct-to-consumer (D2C) market, according to TP-Link itself.
In 2024, in the D2C market, TP-Link had a 37% unit share and a 31% dollar share of the US consumer router market, according to Circana. In 2024, TP-Link had a share of less than 10% of overall router sales in the US. The most recent analysis of router vendors, from Ookla Speedtest samples from January 2025 to March 2026 of the D2C market show that TP-Link had the second-largest market share at 9.9%, under Eero with 10%. Netgear had 9.6.%.
TP-Link US is a separate entity from the Chinese business. The US entity is likely to suffer and possibly exit the US market altogether if it does not receive an exemption from the Covered List.
Exemption is unlikely to happen, given the US government’s commitment to investigate and question TP-Link across both the Biden and Trump administrations. It feels unlikely that TP-Link US could produce any evidence that would convince the bureaucrats to the contrary.
This may be the end of the line for TP-Link US, but the international and Chinese business is still booming. TP-Link has a 60% share of global demand – according to the Hudson report of 2024. TP-Link’s own website points to a Dell’Oro estimate that its US residential market share is less than 10%, so it presumably agrees with that figure.
Impact on the US router market
The next line of enquiry is how the FCC ban will affect other major router manufacturers. Of the other two leading providers on the D2C list, Eero is owned by Amazon, a company with close ties to the Trump administration and likely to be given approval from the Covered List.
Netgear, which is publicly owned and headquartered in the US, does manufacture its routers in China and Vietnam – but it has already indicated early confidence that it will be able to continue to operate in the US. “We commend the Administration and the FCC for their action toward a safer digital future for Americans,” Netgear told Bloomberg.
Taiwan’s Asustek will be closely scrutinized, but as a vendor from an allied nation, it is expected to be able to continue operating in the US.
The FCC’s ban on foreign-made routers seems to be primarily a targeted attack on TP-Link, and secondly, a fishing exercise to have a detailed look into the manufacturing processes of its other suppliers.
For vendors that manufacture in China, they will likely be looking to move operations, if not to the US, but to more affordable and friendly nations elsewhere.
Moving manufacturing to the US is expensive and risky. It will incur much higher costs, making products more expensive, and ultimately uncompetitive, in the case of a change in US leadership that does not value domestic production as highly. Manufacturers do not have the appetite for such extensive overhauls.
A similar recent exercise, where the FCC added all foreign-made drones to the Covered List in December 2025, has resulted (so far) in a handful of approved suppliers – all non-Chinese companies, based in the US, Israel, and Norway.