Due to the security issues with such a design, the marketing behind such products with limited feature sets and faulty/incomplete implementations, and users such as @Clive_A defending the product and marketing segments, I must draw attention to the issues affecting switches like the TL-SG108E which are not readily admitted and which this thread seems to suggest are never to be resolved:

• No HTTPS
• No SSH
• DHCP influenced by/traffic leaked to every VLAN accessible to the switch
• Management address and HTTP interface are available to every VLAN accessible to the switch

These seem to be significant issues for security and present simple/obvious operational implications should a DHCP server exist on more than one VLAN.  I do not care what the products are named or how they are marketed.  I care when the ability to use VLANs for security and isolation is crippled by faulty/incomplete implementation and questionable design choices - the sort of things that turn any defects in the web UI (and any ability to reveal the management password sent via HTTP) into exploits that can be used from (again) every VLAN accessible to the switch.

At this point, the posts so far at least acknowledge products by TP-Link and rival brands that may have proper functionality and suggests that the problematic behavior is "working as intended".  Along with that conclusion based on messages so far and lack of evidence to the contrary, I challenge TP-Link as a company and every developer involved in such behavior to defend this behavior and the decisions that led to it.  There is "no constructive result from this" defense of the product and naming strategy by Clive_A, and possibly no defense of the vulnerabilities in production firmware, the marketing strategy, lack of interest by the developers, and the continued sale of the products as if they fully implement VLANs in a useful and secure way.  I expect, though, that it is at least worth asking if the problems could be fixed with a firmware update or if the hardware has been released in a way that dooms buyers to having hardware that can only give them risks they would not reasonably expect from the advertised feature list.

--Baker_DSP

Self-explanatory.. this is a security issue if this is NOT implemented.  Even for basic switch-gear.  If it's sold as "managed" in any capacity, this needs to be there.

  @Clive_A I'm well aware of TP-Link's products.. You're not picking up what I'm puttin' down bud.  Conceptualize my point at a big-picture level, and try again.  This is an outright defective reply.  Also, if you're going to be a p*ick, be a useful p*ick.  And FFS, why are you people censoring stuff lol.  I cant even type something that's remotely not even a swear word in here.. this is hilarious.  If y'all want to be a real functional compeditor to Ubiquity, you need to GET REAL.

  @imoula Bro here's just trash, don't worry.. I'm sure they're not all like him.   The bigger issue is the fact this is sold on Amazon and other places as literally a Managed Switch, when it is in-fact, NOT.    It ruins the reputation of some actually GREAT TP-Link products.  I'm going to have a chat with my MSP rep an see if we can get this dude away from us on these forums maybe.  This is impacting TP-Link's reputation in our industry, and I'm sure TP-Link doesn't want that.

  @Clive_A I don't even USE this switch model.. The issue is you're selling this/letting this be sold as a managed product when it isn't, not properly.  I'm surprised TP-Link's US division allows this to be sold.. usually troublesome SKU's like this are gatekept away so only the Asian etc markets get this less-than-stable/desireable etc stuff.  Again, you miss my (and other's) entire point and it's concept.

Any updates on the progress in getting some less offensive firmware versions or responses from TP-Link?

Efforts have been made to get a CVE designation for the relevant hardware and affected firmware versions, but that also has not had any visible response.

Let's also consider these write-ups that have existed for some time, such as from 2016 and 2018:

pentestpartners - security-blog/how-i-can-gain-control-of-your-tp-link-home-switch/

goughlui - 2018/11/03/not-so-smart-tp-link-tl-sg105e-v3-0-5-port-gigabit-easy-smart-switch/#:~:text=Security%3F%20Um%20%E2%80%A6%20Hold%20My%20Beer.

The links had to be altered somewhat because of the forum's filtering of external links; however the information is out there, as are the vulnerabilities. The right for people to know, understand, and verify risks follows that.  If this post is removed: "How dare you conceal that information?"

Sure, someone could say "customer beware" and "we aren't marketing as if these switches are properly managed switches", but with known vulnerabilities such as insecure transmission of login credentials, repeatable ways to DoS a switch, and leaking of management traffic across any-and-all VLANs, perhaps a "How could you?" question is appropriate.  How could you continue to market this as a managed switch that pretends to have proper management and user access features?  How could you not patch this and expect that no one would shame or ridicule your practices?

Perhaps Clive, a moderator, a lawyer, or other representative would see our posts and those questions as offensive.  They are only offensive if you are not taking the issues seriously.  If you are not taking the issues seriously, then offense is appropriate and well-earned.

This forum post and other vulnerability reports have been pointed out to TP-Link again.  Contact methods today include the security reporting e-mail address and live chat.

There is now at least one confirmed ticket to assist in removing any claims of "plausible deniability" as TP-Link has been informed of these issues, and not just in this forum where the only obvious TP-Link involvement appears to be Clive.

[TP-Link Support]-[TKID241004455] 18341555-  TL-SG105E- Security issues