Click to skip the navigation bar
Search
Search Menu

Security Advisory on Multiple Vulnerabilities on TP-Link Archer NX200, NX210, NX500 and NX600 (CVE-2025-15517 to CVE-2025-15519 and CVE-2025-15605)

Security Advisory
Updated 03-23-2026 17:59:41 PM Number of views for this article236

Description of Vulnerabilities and Impacts:

CVE-2025-15517: Authorization Bypass in HTTP Server Endpoints

A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.

CVSS v4.0 Score: 8.6/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CVE-2026-15518: Command Injection Vulnerability in Wireless Control CLI Path &

CVE-2026-15519: Command Injection Vulnerability in Modem Management CLI Path

Improper input handling in an administrative CLI command allows crafted input to be executed as part of an OS command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting confidentiality, integrity and availability of the device.

CVSS v4.0 Score: 8.5 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE-2025-15605: Hardcoded Cryptographic Key in Configuration Encryption Mechanism

A hardcoded cryptographic key within its configuration mechanism enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them and re-encrypt them, affecting confidentiality and integrity of device configuration data.

CVSS v4.0 Score: 8.5 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Affected Product

Affected Hardware Versions / Firmware Versions

Archer NX600

• v3.0: < 1.3.0 Build 260309
• v2.0: < 1.3.0 Build 260311
• v1.0: < 1.4.0 Build 260311

Archer NX500

• v2.0: < 1.5.0 Build 260309
• v1.0: < 1.3.0 Build 260311

Archer NX210

• v3.0: < 1.3.0 Build 260309
• v2.0 & v2.20: < 1.3.0 Build 260311

Archer NX200

• v3.0: < 1.3.0 Build 260309
• v2.20: < 1.3.0 Build 260311
• v2.0: < 1.3.0 Build 260311
• v1.0: < 1.8.0 Build 260311

Recommendations:

We strongly recommend that users with affected devices take the following actions:

  1. Download and update to the latest firmware version to fix the vulnerabilities.

Download for Archer NX200 | TP-Link

Download for Archer NX210 | TP-Link

Download for Archer NX500 | TP-Link

Download for Archer NX600 | TP-Link

Note: The products mentioned in this security advisory are not sold in the US.

Disclaimer:

If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.

Looking for More

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Your Privacy Choices

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

These cookies are necessary for the website to function and cannot be deactivated in your systems.

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.