Security Advisory: Information Disclosure via Diagnostic Interface Due to Improper Input Validation on Archer AX72 (CVE-2026-5511)
Vulnerability and Impact Description:
CVE-2026-5511
In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information.
An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data.
CVSS v4.0 Score: 4.6 / Medium
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Product Model |
Hardware Version |
Region |
Fixed Firmware Version |
|
AX72(SG) |
V1 |
SG |
1.4.6 Build 20260112 rel.66206 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Update affected devices to the latest firmware version that fixed the vulnerability:
SG: https://www.tp-link.com/sg/support/download/archer-ax72/#Firmware
Note: Other country versions are not affected by this vulnerability.
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.
Looking For More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.