Full Report
TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware. [...]
Analysis Summary
# Vulnerability: TP-Link Archer NX Series Authentication Bypass and Control Flaws
## CVE Details
* **CVE ID:** CVE-2025-15517 (Primary), CVE-2025-15605, CVE-2025-15518, CVE-2025-15519
* **CVSS Score:** Critical (Numerical score not finalized by NVD, but categorized as "Critical-severity" by the vendor)
* **CWE:** CWE-306 (Missing Authentication for Critical Function), CWE-798 (Use of Hard-coded Cryptographic Key), CWE-77 (Command Injection)
## Affected Systems
* **Products:** TP-Link Archer NX series wireless routers
* **Versions:** Performance models including NX200, NX210, NX500, and NX600
* **Configurations:** Devices running firmware versions prior to the March 2026 security update.
## Vulnerability Description
The primary flaw (CVE-2025-15517) is a missing authentication check within the integrated HTTP server. Specifically, certain Common Gateway Interface (CGI) endpoints that are supposed to be restricted to administrators are accessible without any credentials. This allows an unauthenticated attacker to perform privileged actions, such as uploading unauthorized firmware images or altering system configurations.
Additionally, TP-Link addressed:
* **CVE-2025-15605:** Use of a hardcoded cryptographic key in the configuration mechanism, allowing authenticated users to decrypt, modify, and re-encrypt device configurations.
* **CVE-2025-15518 / CVE-2025-15519:** Command injection vulnerabilities that allow authenticated administrators to execute arbitrary OS commands.
## Exploitation
* **Status:** Not currently reported as exploited in the wild (though other TP-Link flaws are actively targeted by the Quad7 botnet). No public PoC released yet.
* **Complexity:** Low
* **Attack Vector:** Network (Remote)
## Impact
* **Confidentiality:** High (Access to configuration files and potential traffic interception)
* **Integrity:** High (Ability to upload malicious firmware and modify settings)
* **Availability:** High (Potential for device bricking or persistent unauthorized control)
## Remediation
### Patches
TP-Link has released firmware updates for all affected models. Users are strongly advised to navigate to the official TP-Link support page or use the router's web interface to check for and install the latest firmware released in March 2026.
### Workarounds
* **Disable Remote Management:** Ensure the web-based management interface is not accessible from the Wide Area Network (WAN side/Internet).
* **Access Control:** Restrict local management access to trusted MAC addresses or specific wired ports only.
## Detection
* **Indicators of Compromise:** Unusual reboots, unauthorized changes to DNS settings, or the presence of unfamiliar firmware version strings.
* **Detection methods:** Security teams can monitor network traffic for unauthenticated POST/GET requests directed at `/cgi-bin/` endpoints on Archer NX devices.
## References
* TP-Link Security Advisory: hxxps[://]www[.]tp-link[.]com/en/support/download/
* NVD Entry: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2025-15517
* BleepingComputer: hxxps[://]www[.]bleepingcomputer[.]com/news/security/tp-link-warns-users-to-patch-critical-router-auth-bypass-flaw/