Statement on Authenticated RCE by CWMP binary (CVE-2025-9961)
Vulnerability Description:
An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500 series.
Impact:
This flaw will impact CWMP function, it is disabled by default.
The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.
AX10 V1/V1.2/V2/V2.6/V3/V3.6:
https://www.tp-link.com/us/support/download/archer-ax10/#Firmware
AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6
https://www.tp-link.com/us/support/download/archer-ax1500/#Firmware
CVSS v4.0 Score: 8.6 / High
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
Affected Product Model |
Related Vulnerabilities |
Affected Version |
Fixed Version |
AX10 V1/V1.2/V2/V2.6/V3/V3.6 |
CVE-2025-9961 |
Firmware <1.2.1 |
Firmware >= 1.2.1 |
AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6 |
CVE-2025-9961 |
Firmware < 1.3.11 |
Firmware >= 1.3.12 |
Recommendation(s):
We strongly recommended that users with the affected device(s) take the following action(s):
- Update to the latest firmware to fix the vulnerabilities.
Disclaimer:
If you do not take the recommended action(s) stated above, this vulnerability concern will remain. TP-Link cannot bear any responsibility for the consequences that could have been avoided by following the recommended action(s) in this statement.
Is this faq useful?
Your feedback helps improve this site.

TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.