High

OS Command Injection in TP-Link Archer NX modem-management administrative CLI

IdentifiersCVE-2025-15519CWE-78· Improper Neutralization of Special…

CVE-2025-15519 is an OS command injection vulnerability affecting TP-Link Archer NX200, NX210, NX500, and NX600 devices. The flaw is caused by improper input handling in a modem-management administrative CLI command, where crafted input is incorporated into an operating system command without sufficient sanitization or neutralization. As a result, an authenticated attacker operating with administrative privileges can cause arbitrary commands to be executed on the underlying operating system of the device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary command execution on the router operating system with the privileges available to the vulnerable administrative CLI context. This can compromise the confidentiality, integrity, and availability of the affected device, including unauthorized modification of configuration, execution of malicious system commands, disruption of router services, and potential full administrative control of the appliance.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the administrative interface and any administrative CLI functionality to trusted administrators only, limit management exposure to isolated management networks, disable remote administration where feasible, and monitor for unexpected administrative activity or command execution on affected devices. These measures reduce exposure but do not eliminate the underlying vulnerability; vendor firmware updates are the definitive fix.

Remediation

Patch, then assume compromise.

Apply the latest TP-Link firmware updates for affected Archer NX200, NX210, NX500, and NX600 models. TP-Link has released patches and advised customers to immediately install the latest firmware versions available through the vendor firmware download pages and associated support guidance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TP-LinkArcher Nx200hardware

TP-LinkArcher Nx200 Firmwareoperating_system

TP-LinkArcher Nx210hardware

TP-LinkArcher Nx210 Firmwareoperating_system

TP-LinkArcher Nx500hardware

TP-LinkArcher Nx500 Firmwareoperating_system

TP-LinkArcher Nx600hardware

TP-LinkArcher Nx600 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

techrepublic com securityNews

Mar 26, 2026

TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password

A command execution vulnerability in TP-Link Archer NX series routers that allows attackers to execute malicious commands in admin mode.

cvefeed high severityNews

Mar 23, 2026

CVE-2025-15519 - Command Injection in Modem Management CLI on TP-Link Archer NX200, NX210, NX500 and NX600

An authenticated command injection vulnerability in a modem-management administrative CLI command affecting TP-Link Archer NX200, NX210, NX500, and NX600 devices, allowing arbitrary operating system command execution by an attacker with administrative privileges.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-15519

NVD

nvd.nist.gov/vuln/detail/CVE-2025-15519

MITRE CWE · CWE-78

Improper Neutralization of Special Elements…

Vendor Advisory

tp-link.com/us/support/faq/5027

Product

tp-link.com/en/support/download/archer-nx200

Product

tp-link.com/en/support/download/archer-nx210

Product

tp-link.com/en/support/download/archer-nx500

Product

tp-link.com/en/support/download/archer-nx600