TP-Link Patches Multiple Flaws Including Authentication Bypass in Archer NX Routers

TP-Link issued a security advisory for four high-severity vulnerabilities in its Archer NX series routers that could allow attackers to take full control of the devices. The most significant flaw is an authentication bypass that enables unauthenticated users to perform privileged actions, such as uploading malicious firmware. 

Vulnerabilities summary:

• CVE-2025-15517 (CVSS score 8.6) - An authentication bypass in the HTTP server caused by missing validation checks on specific CGI endpoints. Unauthenticated attackers can exploit this flaw to run privileged actions, including firmware uploads and configuration changes, without providing any credentials. This allows for a complete device takeover by replacing the legitimate operating system with a malicious version.
• CVE-2025-15605 (CVSS score 8.5) - A hardcoded cryptographic key within the configuration encryption mechanism that allows for the decryption and re-encryption of device settings. Authenticated attackers can use this key to access sensitive configuration files, modify them to include backdoors, and re-encrypt them to avoid detection. This flaw compromises the integrity of the router's internal security parameters.
• CVE-2025-15518 (CVSS score 8.5) - A command injection vulnerability in the Wireless Control CLI path resulting from improper handling of administrative input. An attacker with administrative privileges can send crafted strings to the CLI to run arbitrary operating system commands. This enables the execution of persistent malware or the exfiltration of network traffic data.
• CVE-2026-15519 (CVSS score 8.5) - A command injection vulnerability in the Modem Management CLI path caused by inadequate input validation. Similar to the wireless control flaw, an authenticated administrator can trigger the execution of arbitrary OS commands. This impact extends to the confidentiality and availability of the entire network infrastructure managed by the router.

Exploiting these flaws allows threat actors to intercept unencrypted traffic, reroute DNS queries to malicious servers, and inject payloads into active web sessions. Compromised devices are frequently recruited into botnets to launch distributed attacks or facilitate lateral movement within a network. 

The security flaws impact multiple hardware and firmware versions: across the Archer NX

• Archer NX600 (v1.0, v2.0, v3.0),
• Archer NX500 (v1.0, v2.0),
• Archer NX210 (v2.0, v2.20, v3.0),
• Archer NX200 (v1.0, v2.0, v2.20, v3.0). 

TP-Link noted that these specific models are not sold in the United States, but are prevalent in international markets. Users can verify their specific version through the device web interface or the physical label on the hardware.

TP-Link strongly recommends that all users download and install the latest firmware updates immediately to mitigate these risks. Administrators should visit the official TP-Link Support portal to find the correct patch for their hardware version. I

n addition to patching, security professionals should disable remote management features and ensure that administrative interfaces are only accessible from trusted internal networks.