Back to Home

TP-Link Archer NX Vulnerabilities: CVE-2025-15517 and Patches

TP-Link Fixed Critical Vulnerabilities in Archer NX Routers, Including CVE-2025-15517 with RCE without Authentication. Patches Fix Hardcoded Crypto Keys and Command Injections. Update Recommendations to Minimize Risks.

Critical Bugs in TP-Link Archer NX: RCE and Injections
Advertisement 728x90

# Critical Vulnerabilities in TP-Link Archer NX Routers: Details and Patches

TP-Link has released firmware updates for the Archer NX200, NX210, NX500, and NX600 models, addressing several critical vulnerabilities. The main one—CVE-2025-15517—allowed anonymous uploading of arbitrary firmware via unprotected CGI endpoints on the HTTP server. This opened the door to full device compromise without authentication.

The updates also fix issues with configuration cryptography and command injection, leaving the routers vulnerable to privilege escalation attacks. Below is a breakdown of each vulnerability with technical details.

Breakdown of CVE-2025-15517: Unauthorized Firmware Upload

This vulnerability stemmed from a lack of authentication checks in the router's HTTP server. An attacker could access specific CGI endpoints that perform privileged actions:

Google AdInline article slot
  • Changing configuration.
  • Uploading and applying new firmware.
  • Full control over the device.

Without authentication, any remote attacker with network access could overwrite the firmware, injecting a backdoor or malicious code. The severity is confirmed by a high CVSS score—potential for RCE with no effort.

The patch in the updated firmware introduces mandatory session and token checks for all sensitive endpoints, blocking anonymous access.

CVE-2025-15605: Hardcoded Crypto Key in Configuration

The configuration mechanism used a static crypto key hardcoded into the code. An authorized attacker with access to config files could:

Google AdInline article slot
  • Decrypt the configuration.
  • Analyze or extract sensitive data (Wi-Fi passwords, accounts).
  • Make changes.
  • Re-encrypt the file with a fake key.

This created attack chains: from traffic interception to persistent access. The update generates dynamic keys based on the device's hardware metrics, strengthening protection against reverse engineering.

Command Injections: CVE-2025-15518 and CVE-2025-15519

Two vulnerabilities allowed low-privilege admins to execute arbitrary shell commands on the router. Possible vectors:

  • CVE-2025-15518: Via parameters in the web interface, unescaped from shell metacharacters (;, &&, |).
  • CVE-2025-15519: In diagnostic API endpoints, where input wasn't validated.

Example scenario: ping 127.0.0.1; rm -rf /etc/config—deleting critical files. Patches add input sanitization, command whitelisting, and context-dependent validation.

Google AdInline article slot

| Vulnerability | CVSS | Attack Vector | Patch Status |

|--------------|------|---------------|--------------|

| CVE-2025-15517 | 9.8 | Remote RCE | Fixed |

| CVE-2025-15605 | 7.5 | Config tampering | Fixed |

| CVE-2025-15518 | 8.1 | Command injection | Fixed |

| CVE-2025-15519 | 8.1 | Command injection | Fixed |

Update and Migration Recommendations

  • Download the firmware from the TP-Link website for your model (Archer NX200/210/500/600).
  • Update via the web interface or TFTP recovery if bricked.
  • After updating, change all passwords and check logs for suspicious activity.
  • Use VLAN segregation to isolate the router from IoT devices.

TP-Link emphasizes: without the patch, devices remain at risk, and the manufacturer does not guarantee protection from exploitation.

Key Takeaways

  • CVE-2025-15517 allows RCE without auth: Full remote firmware replacement.
  • Hardcoded key in config: Easy access to passwords and settings.
  • Command injection for admins: Privilege escalation via shell.
  • Mandatory update: Patches are available; risks persist without them.
  • Middle/senior focus: Check CGI endpoints and crypto in your embedded projects.

— Editorial Team

Advertisement 728x90

Read Next