The right question isn't whether to upgrade - it's how fast you need to move. Security is a spectrum, not a binary. Every home network deserves the strongest protection available. The situations below determine whether your timeline is days, months, or simply "when it makes sense." But in every case, the destination is the same: a router built for real security, not one that happens to have an acceptable patch record.
| Your situation | Action |
|---|---|
| TP-Link router in active use | Replace - critical. CISA Volt Typhoon advisory, active federal investigation, documented attack vector. Do not wait. |
| Any router at end-of-life (no more patches) | Replace - critical. An unpatched router is a permanently open door. Every day you wait, the exposure compounds. |
| Tenda or Huawei router | Replace - critical. Documented backdoors (Tenda) or fully banned from the US market (Huawei). These are not routers worth maintaining. |
| ISP gateway (Xfinity, AT&T, Verizon, Spectrum) | Secure now - upgrade when ready. Take immediate steps to harden what you have. Add a dedicated security-focused router behind it as soon as feasible for true control. |
| Older Netgear in active support | Maintain - plan your upgrade. Still receiving patches, but Netgear's support history is uneven. The ceiling on protection here is lower than you deserve. |
| Current-generation Asus, Eero, Google Nest, Linksys | Solid hardware - consider your ceiling. These are good routers. But "good" means you're not in crisis - it doesn't mean you have the highest available protection. Upgrade when you're ready to take security seriously. |
| Router over 5 years old (any brand) | Replace promptly. Age alone puts hardware near or past end-of-life. Modern security standards require modern hardware. |
This is the single most important replacement trigger, regardless of manufacturer. When a router reaches end-of-life, the manufacturer permanently stops issuing security patches. Any vulnerability found after that date will never be fixed - the router's security profile is frozen in time, and gets worse as new vulnerabilities are discovered. There is no amount of configuration or hygiene that compensates for a router with no one patching it.
Key end-of-life models to replace immediately: TP-Link Archer C7, Netgear Nighthawk R7000, Linksys EA9500, D-Link DIR-842, Apple AirPort Extreme, any Asus RT-N series.
The CISA advisory (AA23-144A), the active DOJ/FCC investigation, and TP-Link's documented involvement in the Volt Typhoon campaign are all independent of any specific firmware version. Even a fully-updated TP-Link router carries structural risk from Chinese legal jurisdiction and an ongoing federal investigation. This is not about the hardware quality - it's about what the manufacturer is legally obligated to do under Chinese national intelligence law.
If your home network touches anything sensitive - work, banking, healthcare, children's devices - TP-Link is not an acceptable risk, regardless of model or firmware.
Tenda's AC23 has a documented backdoor vulnerability (CVE-2020-10987) rated 9.8/10 severity that was never properly patched. This is in a categorically different situation from ordinary CVEs - it's a deliberately-designed or negligently-maintained back door in hardware that's still in homes today. There is no patch coming. The only solution is replacement.
Most routers are designed to connect you to the internet. The best security routers are designed to protect you while you're there. Those are different products solving different problems. Here's what separates genuinely protective hardware from hardware that merely meets the minimum bar:
All of these models have current FCC authorization, active security patch support, and no Chinese ownership concerns. This list reflects what's available as of March 2026, ordered by the level of protection they provide:
If you have a current-generation Asus, Eero, Google Nest, or AT&T/Verizon ISP gateway, you're not in crisis. These are legitimately decent products with reasonable security records. We don't want to overstate the risk for hardware that's functioning and patched.
But here's our honest view: "no known problems" is a low bar. The routers above protect you from known threats - vulnerabilities that have already been discovered and patched. What they don't provide is defense-in-depth: the ability to isolate compromised devices, encrypt your entire network's traffic before it leaves your home, or give you meaningful control over what devices on your network can do.
If you're satisfied with your current router, the right actions are: ensure auto-updates are enabled, change all default passwords, and check our database periodically for new disclosures about your model. That's responsible security hygiene. When you're ready to stop accepting "adequate" and start expecting the highest protection available, the upgrade path is clear.
ISP-provided gateways are a particular kind of compromise. Your ISP controls the firmware - you can't install security updates yourself, and advanced security settings are often locked or unavailable. You're trusting your carrier's security posture, not your own.
Immediate steps if you're on an ISP gateway:
An ISP gateway in bridge mode behind a security-first router gives you the best of both worlds: your ISP's service without handing them control of your network's security.