Command Injection Flaws Expose TP-Link Archer NX Routers to Admin-Level RCE
TP-Link Archer NX200, NX210, NX500, and NX600 routers are affected by two high-severity command injection vulnerabilities, tracked as CVE-2025-15518 and CVE-2025-15519. The flaws stem from improper input handling in administrative CLI functions: one in a wireless-control command and the other in a modem-management command. In both cases, crafted input can be incorporated into operating system commands, enabling arbitrary command execution on the underlying device.
The vulnerabilities require an authenticated attacker with administrative privileges, but successful exploitation could compromise the confidentiality, integrity, and availability of affected routers. Both issues are classified as CWE-78 and were published as new CVE records with high-impact CVSS v4.0 scoring. The CVE entries point users to TP-Link firmware download pages and support documentation for remediation guidance.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2025-15519 disclosed for TP-Link Archer modem-management CLI flaw
A new CVE entry, CVE-2025-15519, was published for a command injection vulnerability in the modem-management administrative CLI on TP-Link Archer NX200, NX210, NX500, and NX600 devices. The issue can let an authenticated administrator run arbitrary operating system commands, affecting confidentiality, integrity, and availability.
CVE-2025-15518 recorded for TP-Link Archer command injection flaw
A new CVE entry, CVE-2025-15518, was recorded for a command injection vulnerability in the wireless-control administrative CLI on TP-Link Archer NX200, NX210, NX500, and NX600 devices. The flaw allows an authenticated administrator to execute arbitrary operating system commands via improper input handling.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2025-15519 - Command Injection in Modem Management CLI on TP-Link Archer NX200, NX210, NX500 and NX600
cvefeed.io
Open sourceCVE-2025-15518 - Command Injection in Wireless Control CLI on TP-Link Archer NX200, NX210, NX500 and NX600
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TP-Link Archer Routers Patched for Command Injection and Multiple Security Flaws
TP-Link has disclosed and patched a high-severity authenticated command injection flaw, **CVE-2026-5509**, affecting **Archer BE450 v1** and **BE7200 v1** routers. The vulnerability in the web management interface carries a **CVSS 8.5** score and can let an attacker who has already gained administrative access execute arbitrary system commands, potentially leading to elevated privileges, configuration tampering, unauthorized service execution, and interception of sensitive network traffic. TP-Link said devices running firmware earlier than **`1.3.0 Build 20260416`** are vulnerable and urged customers to install the latest firmware from its regional support portals. The disclosure follows broader reporting on security weaknesses affecting **TP-Link Archer NX** routers, adding to concerns over exploitable flaws in the vendor’s consumer networking lineup. Together, the reports highlight continued risk in internet-facing router management functions, where compromised credentials or prior access can turn web interface bugs into full device compromise. Organizations and home users using affected Archer models should verify firmware versions, restrict administrative access, and apply vendor updates immediately.
Jun 2, 2026
TP-Link Archer NX Routers Patched for Firmware Takeover and Config Decryption Flaws
TP-Link released firmware updates for **Archer NX200, NX210, NX500, and NX600** routers to address multiple high-severity vulnerabilities, including **`CVE-2025-15517`**, an authentication bypass issue that could let an unauthenticated attacker upload malicious firmware and carry out privileged configuration changes. The flaws affect the Archer NX product line and prompted TP-Link to urge customers to install the latest firmware immediately. The updates also fix **`CVE-2025-15605`**, a **hardcoded cryptographic key** weakness mapped to **`CWE-321`**. That flaw allows an authenticated attacker to decrypt router configuration files, alter them, and re-encrypt them, compromising the confidentiality and integrity of stored settings. Reporting on the patches comes amid broader scrutiny of TP-Link devices, including prior CISA action on other TP-Link router vulnerabilities and wider regulatory attention on foreign-made consumer networking equipment.
Mar 26, 2026
TP-Link Archer AX53 Flaws Enable Command Injection via OpenVPN and dnsmasq
TP-Link Archer AX53 v1.0 routers were found to contain two high-severity OS command injection vulnerabilities, tracked as **`CVE-2026-30815`** and **`CVE-2026-30818`**, affecting the device's OpenVPN and dnsmasq modules. In both cases, an authenticated attacker on an adjacent network can supply a specially crafted configuration file to trigger arbitrary command execution because of insufficient input validation, a weakness classified as **`CWE-78`**. Successful exploitation could let an attacker alter router configuration, access sensitive information, and undermine overall device integrity and availability. The flaws affect Archer AX53 v1.0 firmware releases prior to **`1.7.1 Build 20260213`**, and the CVSS v4.0 assessments indicate low attack complexity under adjacent-network conditions with high impact across confidentiality, integrity, and availability.
May 25, 2026