Security Advisory: Command Injection in Archer MR600 WireGuard Client Configuration (CVE-2026-8913)

Vulnerability and Impact Description:

CVE-2026-8913

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.

Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.

CVSS v4.0 Score: 8.5 / High

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Recommendations:

We strongly recommend that users with affected devices take the following actions:

1. Update affected devices to the latest firmware version that fixed the vulnerability:

EN: Download for Archer MR600 | TP-Link

JP: Archer MR600 Content | TP-Link Japan

Note: MR600 is not sold in the US.

Disclaimer:

This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.