TP-Link patches Archer NX router flaws that can bypass login and lead to system command execution

TP-Link has disclosed four high-severity vulnerabilities affecting its Archer NX200, NX210, NX500, and NX600 routers. The most serious flaw lets an attacker bypass authentication on certain HTTP CGI endpoints and perform privileged actions without valid credentials, including firmware upload and configuration changes. TP-Link rates that issue, tracked as CVE-2025-15517, at CVSS v4.0 8.6.

The advisory also covers two command injection bugs and one cryptographic weakness. TP-Link says the command injection issues affect administrative CLI paths for wireless control and modem management, while the cryptographic issue stems from a hardcoded key in the configuration encryption mechanism. Together, the bugs could let attackers tamper with router settings, run operating system commands, and compromise device integrity.

The immediate real-world risk depends on which flaw an attacker can reach. CVE-2025-15517 does not require authentication, which makes it the most dangerous starting point. The two command injection flaws need administrative privileges, and the hardcoded-key issue needs authenticated access, but all three still matter because compromised edge devices can expose traffic, enable persistence, and give attackers a foothold inside a local network.

TP-Link has already released patched firmware for the affected Archer NX models. The company also notes that the specific products named in this advisory are not sold in the United States, even though the advisory appears on its U.S. support site.

What the vulnerabilities do

TP-Link says CVE-2025-15517 comes from a missing authentication check in the HTTP server for certain CGI endpoints. That flaw allows unauthenticated access to functions meant only for logged-in users, including firmware upload and configuration operations.

The other two major bugs, CVE-2025-15518 and CVE-2025-15519, are command injection vulnerabilities in administrative CLI paths. According to TP-Link and NVD, crafted input can get executed as part of an operating system command, which means an authenticated administrator-level attacker could run arbitrary commands on the device.

The fourth issue, CVE-2025-15605, involves a hardcoded cryptographic key inside the configuration protection mechanism. TP-Link says an authenticated attacker could decrypt configuration data, alter it, and re-encrypt it, which puts confidentiality and integrity at risk even without direct code execution.

Affected models and fixed firmware

TP-Link published these exact hardware-version and firmware-version cutoffs in its advisory, so users need to match both the model and hardware revision before updating.

Why this matters

Routers sit at the edge of the network, so even one vulnerable device can create a bigger security problem than many users expect. An auth bypass that reaches firmware upload or configuration controls can let an attacker alter how the router behaves, while command injection can hand over direct OS-level control after privilege escalation or credential theft.

This does not mean every vulnerable router on the internet is already compromised. The advisory describes what attackers could do, not a confirmed mass exploitation campaign. Still, the bug set is serious enough that delaying updates creates unnecessary risk, especially for devices exposed to untrusted networks or reused admin passwords.

What users should do now

• Check the exact router model and hardware revision in the admin interface or device label.
• Compare the installed firmware version against TP-Link’s fixed versions.
• Download and install the latest firmware for the exact device revision from TP-Link’s support page.
• Change the router admin password if it is weak, reused, or old.
• Limit management access to trusted local networks only.
• Review configuration changes and firmware state if the router has shown unusual behavior.
• Reboot after patching if TP-Link’s update flow or release notes require it.

FAQ