TP-Link Archer NX Routers Patched for Firmware Takeover and Config Decryption Flaws
TP-Link released firmware updates for Archer NX200, NX210, NX500, and NX600 routers to address multiple high-severity vulnerabilities, including CVE-2025-15517, an authentication bypass issue that could let an unauthenticated attacker upload malicious firmware and carry out privileged configuration changes. The flaws affect the Archer NX product line and prompted TP-Link to urge customers to install the latest firmware immediately.
The updates also fix CVE-2025-15605, a hardcoded cryptographic key weakness mapped to CWE-321. That flaw allows an authenticated attacker to decrypt router configuration files, alter them, and re-encrypt them, compromising the confidentiality and integrity of stored settings. Reporting on the patches comes amid broader scrutiny of TP-Link devices, including prior CISA action on other TP-Link router vulnerabilities and wider regulatory attention on foreign-made consumer networking equipment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
TP-Link releases firmware updates for Archer NX routers
TP-Link released firmware updates for Archer NX200, NX210, NX500, and NX600 routers to fix multiple high-severity vulnerabilities. The updates addressed issues including an authentication bypass flaw that could let unauthenticated attackers upload malicious firmware and perform privileged configuration actions, and a hardcoded cryptographic key flaw affecting configuration encryption.
CVE-2025-15605 is publicly disclosed
A public vulnerability entry described CVE-2025-15605 as a hardcoded cryptographic key issue in TP-Link Archer NX200, NX210, NX500, and NX600 devices. The flaw allows an authenticated attacker to decrypt configuration files, modify them, and re-encrypt them, impacting confidentiality and integrity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password
techrepublic.com
Open sourcePatch now: TP-Link Archer NX routers vulnerable to firmware takeover
securityaffairs.com
Open sourceCVE-2025-15605 - Hardcoded Cryptographic Key in Configuration Encryption Mechanism on TP-Link Archer NX200, NX210, NX500 and NX600
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TP-Link Archer Routers Patched for Command Injection and Multiple Security Flaws
TP-Link has disclosed and patched a high-severity authenticated command injection flaw, **CVE-2026-5509**, affecting **Archer BE450 v1** and **BE7200 v1** routers. The vulnerability in the web management interface carries a **CVSS 8.5** score and can let an attacker who has already gained administrative access execute arbitrary system commands, potentially leading to elevated privileges, configuration tampering, unauthorized service execution, and interception of sensitive network traffic. TP-Link said devices running firmware earlier than **`1.3.0 Build 20260416`** are vulnerable and urged customers to install the latest firmware from its regional support portals. The disclosure follows broader reporting on security weaknesses affecting **TP-Link Archer NX** routers, adding to concerns over exploitable flaws in the vendor’s consumer networking lineup. Together, the reports highlight continued risk in internet-facing router management functions, where compromised credentials or prior access can turn web interface bugs into full device compromise. Organizations and home users using affected Archer models should verify firmware versions, restrict administrative access, and apply vendor updates immediately.
Jun 2, 2026
Command Injection Flaws Expose TP-Link Archer NX Routers to Admin-Level RCE
TP-Link Archer `NX200`, `NX210`, `NX500`, and `NX600` routers are affected by two high-severity command injection vulnerabilities, tracked as **CVE-2025-15518** and **CVE-2025-15519**. The flaws stem from improper input handling in administrative CLI functions: one in a wireless-control command and the other in a modem-management command. In both cases, crafted input can be incorporated into operating system commands, enabling arbitrary command execution on the underlying device. The vulnerabilities require an authenticated attacker with administrative privileges, but successful exploitation could compromise the **confidentiality, integrity, and availability** of affected routers. Both issues are classified as `CWE-78` and were published as new CVE records with high-impact `CVSS v4.0` scoring. The CVE entries point users to TP-Link firmware download pages and support documentation for remediation guidance.
Mar 23, 2026
TP-Link Archer AX53 Flaws Enable Command Injection via OpenVPN and dnsmasq
TP-Link Archer AX53 v1.0 routers were found to contain two high-severity OS command injection vulnerabilities, tracked as **`CVE-2026-30815`** and **`CVE-2026-30818`**, affecting the device's OpenVPN and dnsmasq modules. In both cases, an authenticated attacker on an adjacent network can supply a specially crafted configuration file to trigger arbitrary command execution because of insufficient input validation, a weakness classified as **`CWE-78`**. Successful exploitation could let an attacker alter router configuration, access sensitive information, and undermine overall device integrity and availability. The flaws affect Archer AX53 v1.0 firmware releases prior to **`1.7.1 Build 20260213`**, and the CVSS v4.0 assessments indicate low attack complexity under adjacent-network conditions with high impact across confidentiality, integrity, and availability.
May 25, 2026