Four scored components. Six government and industry data sources. Every number fully explained.
0
Routers Tracked
0
Scored Components
0
Data Sources
Built by Rio · Open Scoring
Rio built this tool because we believe consumers deserve access to the same security data we use when evaluating hardware. Our ratings are based entirely on publicly verifiable government and industry data sources documented on this page. We publish the full methodology so it can be scrutinized, challenged, and improved. If you find an error, let us know.
Our underlying view: every home network deserves the highest protection available - not just adequate hardware. This scoring system is designed to make the gap between "passing" and "genuinely protected" visible.
Each router is evaluated on four independent components. No single component determines the overall grade - we weight them based on practical security impact for a typical US household. High-weight components can fail a router on their own; medium-weight components require multiple issues before they significantly lower the grade.
High weight - can determine grade alone
Medium weight - contributes to overall grade
01
🛡️
Active Security Patch Support
● High weight
▼
What we measure
Whether the manufacturer is actively issuing security patches for this specific model. Whether the model has reached end-of-life (EOL) status - meaning no further security updates will be issued, ever.
Why it matters most
An unpatched router accumulates permanent vulnerabilities. Every new CVE discovered becomes a permanent attack surface. This is the single most actionable risk for most households. A router with no patches is an unmonitored open door.
How we verify it
We cross-reference official manufacturer support pages, EOL announcements, and firmware release histories. We date-stamp each entry so you know when we last verified active support status.
End-of-life status alone can reduce a grade to D or F regardless of other factors. Active auto-update support improves the grade. Manual-update-only routers score lower than auto-update ones.
02
🔍
Documented CVE Severity
● High weight
▼
What we measure
CVSS v3 severity scores of all known CVEs (Common Vulnerabilities and Exposures) for the router model and its firmware. We weight by severity: Critical (9.0–10.0) > High (7.0–8.9) > Medium (4.0–6.9) > Low.
Why it matters
Critical and High CVEs - especially those with known exploits - represent immediate, concrete risk. CVSS 9+ vulnerabilities often allow remote code execution or complete device takeover without authentication.
Data source
NIST National Vulnerability Database, the US government's authoritative repository of publicly known vulnerabilities. CVE data is updated continuously; our entries are stamped with verification dates.
We distinguish between patched CVEs (available fix exists) and unpatched CVEs. An unpatched Critical CVE has significantly more weight than a patched one. Active exploitation status adds additional weight.
03
⚠️
CISA Advisory Mentions
● High weight
▼
What we measure
Whether CISA (Cybersecurity and Infrastructure Security Agency) has specifically cited this model or manufacturer in a security advisory or added its vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog.
Why CISA mentions are different
CISA advisories reflect documented active exploitation, not theoretical risk. A CISA mention means the vulnerability has been weaponized by real threat actors against real victims. This is qualitatively different from a theoretical CVE.
Data source
The CISA KEV catalog is publicly available and updated continuously. We also reference CISA's published cybersecurity advisories (CSAs), including joint advisories co-authored with NSA, FBI, and Five Eyes partners.
CISA AA23-144A (Volt Typhoon), CISA AA23-234A (Flax Typhoon), and AA24-038A (Salt Typhoon) are the primary advisories affecting routers in our database. TP-Link, Netgear, and others are specifically cited.
04
🏛️
Manufacturer Legal Jurisdiction
● Medium weight
▼
What we measure
Whether the manufacturer is headquartered in, or legally subject to, a foreign adversary nation - primarily China, Russia, or Iran. We assess both where the company is headquartered and whether it has significant operations or ownership in these jurisdictions.
The legal basis for this risk
China's 2017 National Intelligence Law (Article 7) legally compels any Chinese company or citizen to cooperate with intelligence collection requests. This creates a structural legal risk - regardless of the company's current behavior or stated policies.
What we cite
Public corporate filings, SEC records, documented corporate ownership structures, and reporting from Reuters, WSJ, and government sources. We do not rely on rumor or anonymous sources for jurisdiction assessments.
Jurisdiction is a structural risk factor, not a proven harm. We are not asserting that specific acts of surveillance have occurred. We flag the legal exposure created by the Chinese intelligence law as a risk factor, not a confirmed incident.
05
📋
FCC Authorization Status
● Medium weight
▼
What we measure
Whether the device has current FCC Equipment Authorization. Whether it is under review by the FCC. Whether the manufacturer or device model appears on the FCC's Covered List - the formal designation of equipment deemed a national security risk.
Why it matters
FCC authorization status reflects the US government's formal assessment of national security risk. Covered List designation means the FCC has officially determined that the equipment poses an unacceptable risk to US national security.
Data source
The FCC Equipment Authorization Database and the FCC Covered List, both publicly accessible. We verify authorization status and track changes to the Covered List, which was most recently updated March 23, 2026.
Covered List designation does not immediately ban existing devices from use - it prevents new models from receiving authorization. We note Covered List status as a risk flag without implying your existing device is illegal.
02 - Grade System
Grade definitions
Grades represent the combined weighted score across all four components. They are designed to be action-oriented - each grade maps to a clear recommended action for the household.
A
Low Risk / Protected
Active security support, no critical CVEs, no CISA mentions, clean manufacturer jurisdiction, current FCC authorization. This is the baseline we recommend all households aim for.
Active patchesNo critical CVEsNo CISA mentionClean jurisdictionFCC authorized
B
Low-Moderate Risk / Maintain
Active security support, minor CVEs (all patched), no CISA mentions, clean manufacturer jurisdiction. May have some limitations in advanced security features. Maintain firmware updates.
Active patchesMinor CVEs (patched)No CISA mentionClean jurisdiction
C
Moderate Risk / Act Now
Active or limited support, significant CVEs (mostly patched), ISP control limitations, or minor jurisdiction concerns. Requires user attention - change default passwords, enable automatic updates.
End-of-life hardware (no patches), or significant unpatched CVEs, or multiple jurisdiction/FCC concerns. Replacement recommended within 12 months. Do not use on networks with sensitive data.
Active CISA advisory, critical unpatched CVEs, Chinese-jurisdiction manufacturer with documented involvement in hacking campaigns, or equipment banned from US federal networks. Replace or fully isolate immediately.
Active CISA advisoryCritical unpatched CVEsFederal banState-sponsored link
03 - Data Sources
Where our data comes from
Every data point in our ratings traces to a publicly accessible, citable source. We do not use proprietary threat intelligence feeds, anonymous tips, or unverifiable claims. If you can't find the source, tell us - we'll fix it.
Every individual router check page also displays a Sources & Evidence section at the bottom, listing the exact primary sources - NIST NVD CVE records, FCC filings, CISA advisories, and government investigation records - that underlie each finding for that specific model. No finding appears on this site without a traceable primary source link.
NIST National Vulnerability Database (NVD)
US Gov
The US government's authoritative database of publicly known cybersecurity vulnerabilities. We cross-reference all router models against NVD CVE records, using CVSS v3 severity scores where available (falling back to v2 for older entries). Data is queried via the NVD REST API and verified manually for key entries.
CISA Known Exploited Vulnerabilities (KEV) Catalog
US Gov
The Cybersecurity and Infrastructure Security Agency's catalog of vulnerabilities confirmed to be actively exploited in the wild. CISA KEV entries receive elevated weight in our scoring because they indicate real-world weaponization, not merely theoretical exposure. The catalog is updated continuously and publicly accessible.
Formal security advisories published by CISA, often co-authored with NSA, FBI, and international Five Eyes partners. Key advisories for router security include AA23-144A (Volt Typhoon), AA23-234A (Flax Typhoon), and AA24-038A (Salt Typhoon). We cite specific advisory identifiers inline in router entries that are affected.
The FCC's public database of devices that have received equipment authorization to be sold in the US. We verify current authorization status, identify devices under review, and track Covered List status. The Covered List was most recently updated March 23, 2026 to include all consumer routers manufactured in foreign adversary nations.
The FCC's formal designation of communications equipment deemed to pose unacceptable national security risks, maintained under the Secure and Trusted Communications Networks Act of 2019. Covered List designation reflects the FCC's official security assessment and is the basis for import restrictions and the equipment authorization ban.
For manufacturer jurisdiction assessments, we rely on public corporate filings, SEC EDGAR records where applicable, official company disclosures, and documented reporting from Reuters, WSJ, and other primary sources on corporate ownership structures. We do not speculate on ownership - all jurisdiction assessments cite specific public documentation.
Transparency means being as clear about our limits as about our methods. The following are explicit out-of-scope items - things we do not claim to measure or assess.
🔬
We don't conduct our own penetration testing
Our analysis is based entirely on publicly documented vulnerabilities and third-party security research. We do not run our own lab environments, fuzz test firmware, or conduct active security assessments. Our work is synthesis and curation, not primary research.
📦
We don't assign risk scores to individual firmware versions
We assess model lines, not individual firmware versions. If a critical CVE is patched in a specific firmware update, we note this - but we still flag the model's vulnerability history. A patched router is better than an unpatched one, but its CVE history is still a risk signal.
🔮
We don't make predictions about future vulnerabilities
A "low risk" grade means low documented risk as of the verification date - not guaranteed security. All hardware contains undiscovered vulnerabilities. We strongly recommend enabling auto-updates regardless of your router's current grade.
🔒
We don't assess physical security or hardware implants
Our analysis covers network-facing software vulnerabilities and supply chain / legal jurisdiction risks. We do not assess physical tamper resistance, hardware-level implant risks, or manufacturing-stage backdoors that would require hands-on hardware analysis to detect.
📡
We don't claim to know what ISPs can see on your network
ISP-provided gateways have unique characteristics - ISPs can push firmware updates, access diagnostics, and in some cases monitor traffic through their hardware. Our ISP gateway assessments reflect publicly known risks, not assertions about specific ISP data practices.
05 - Caveats
Known limitations
Coverage gaps
We currently track 66 router models - but there are hundreds more. If your router isn't in our database, that doesn't mean it's safe - it means we haven't assessed it yet. We're expanding coverage continuously. The absence of a listing is not an endorsement.
⏱️
CVE databases have a publication lag
New vulnerabilities may be publicly disclosed before they appear in NVD. Our data is current as of the verification date shown on each router entry. Entries with older verification dates may not reflect the most recent CVE disclosures for that model.
🏢
Jurisdiction is a structural risk, not a proven incident
We flag Chinese-jurisdiction manufacturers based on the structural legal exposure created by China's 2017 National Intelligence Law. We are not asserting that specific acts of data collection, surveillance, or intelligence cooperation have occurred in any specific case. The legal structure creates the risk; we are documenting the legal structure.
📶
ISP gateway security data is partially opaque
ISPs don't always publish detailed security advisories for their provided hardware. Our ISP gateway assessments rely on publicly available disclosures, FCC records, and third-party security research. ISP gateway entries should be treated as less complete than standalone router entries.
⚖️
FCC Conditional Approvals may change the landscape
The FCC's Conditional Approval process may eventually authorize some currently-uncertain foreign-made routers. We will update router entries as that process produces outcomes. Current ratings reflect the status as of March 2026 and will be refreshed as the regulatory picture evolves.
See this methodology applied to your router
Free security report. No signup. Results in under 5 seconds.
Methodology last reviewed: March 30, 2026 · Data currency varies by router entry - see individual router reports for verification dates · ismyroutersafe.com
Contact Us
We respond to all inquiries within 7 days.
Message received
We'll review your message and respond within 7 days if a reply is needed.
