Authenticated Command Injection in TP-Link Archer MR600 v5 (CVE-2025-14756)
TP-Link issued a security advisory for an authenticated command injection vulnerability in the Archer MR600 v5 router’s web-based admin interface, tracked as CVE-2025-14756 with a CVSS 8.5 rating. The flaw stems from insufficient input sanitization in the admin interface component, enabling a logged-in attacker to execute arbitrary system commands by submitting crafted input via the browser’s developer console; while the injected command length is limited, successful exploitation can still result in service disruption or full device compromise.
Affected devices are Archer MR600 v5 units running firmware versions prior to the fixed release (reported as versions below v0001.0 Build 250930 Rel.63611n / older than 1.1.0 and including 0.9.1 and below, depending on versioning notation in the advisory). The reported attack conditions include requiring valid admin credentials and adjacent network access, but the impact is high due to potential complete router takeover; TP-Link’s recommended mitigation is to apply the latest firmware update immediately, and one report notes the model is not sold in the United States, potentially limiting exposure there.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
TP-Link releases patched firmware for affected Archer MR600 v5 devices
TP-Link made updated firmware available to fix the vulnerability, with affected devices identified as Archer MR600 v5 units running firmware older than 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n. The company advised users to download and install the latest firmware from its support channels.
TP-Link discloses CVE-2025-14756 in Archer MR600 v5 routers
TP-Link published a security advisory for CVE-2025-14756, a high-severity authenticated command injection flaw in the web management interface of Archer MR600 v5 routers. The vulnerability could let an authenticated attacker execute system commands and potentially fully compromise the device.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TP-Link Archer Routers Patched for Command Injection and Multiple Security Flaws
TP-Link has disclosed and patched a high-severity authenticated command injection flaw, **CVE-2026-5509**, affecting **Archer BE450 v1** and **BE7200 v1** routers. The vulnerability in the web management interface carries a **CVSS 8.5** score and can let an attacker who has already gained administrative access execute arbitrary system commands, potentially leading to elevated privileges, configuration tampering, unauthorized service execution, and interception of sensitive network traffic. TP-Link said devices running firmware earlier than **`1.3.0 Build 20260416`** are vulnerable and urged customers to install the latest firmware from its regional support portals. The disclosure follows broader reporting on security weaknesses affecting **TP-Link Archer NX** routers, adding to concerns over exploitable flaws in the vendor’s consumer networking lineup. Together, the reports highlight continued risk in internet-facing router management functions, where compromised credentials or prior access can turn web interface bugs into full device compromise. Organizations and home users using affected Archer models should verify firmware versions, restrict administrative access, and apply vendor updates immediately.
Jun 2, 2026
Command Injection Flaws Expose TP-Link Archer NX Routers to Admin-Level RCE
TP-Link Archer `NX200`, `NX210`, `NX500`, and `NX600` routers are affected by two high-severity command injection vulnerabilities, tracked as **CVE-2025-15518** and **CVE-2025-15519**. The flaws stem from improper input handling in administrative CLI functions: one in a wireless-control command and the other in a modem-management command. In both cases, crafted input can be incorporated into operating system commands, enabling arbitrary command execution on the underlying device. The vulnerabilities require an authenticated attacker with administrative privileges, but successful exploitation could compromise the **confidentiality, integrity, and availability** of affected routers. Both issues are classified as `CWE-78` and were published as new CVE records with high-impact `CVSS v4.0` scoring. The CVE entries point users to TP-Link firmware download pages and support documentation for remediation guidance.
Mar 23, 2026
TP-Link Archer AX53 Flaws Enable Command Injection via OpenVPN and dnsmasq
TP-Link Archer AX53 v1.0 routers were found to contain two high-severity OS command injection vulnerabilities, tracked as **`CVE-2026-30815`** and **`CVE-2026-30818`**, affecting the device's OpenVPN and dnsmasq modules. In both cases, an authenticated attacker on an adjacent network can supply a specially crafted configuration file to trigger arbitrary command execution because of insufficient input validation, a weakness classified as **`CWE-78`**. Successful exploitation could let an attacker alter router configuration, access sensitive information, and undermine overall device integrity and availability. The flaws affect Archer AX53 v1.0 firmware releases prior to **`1.7.1 Build 20260213`**, and the CVSS v4.0 assessments indicate low attack complexity under adjacent-network conditions with high impact across confidentiality, integrity, and availability.
May 25, 2026