High

Hardcoded Cryptographic Key in TP-Link Archer NX Configuration Encryption Mechanism

IdentifiersCVE-2025-15605CWE-321· Use of Hard-coded Cryptographic Key

CVE-2025-15605 is a vulnerability in the configuration encryption mechanism of TP-Link Archer NX200, NX210, NX500, and NX600 routers caused by the use of a hardcoded cryptographic key. Because the same embedded key can be used to process configuration data, an authenticated attacker can decrypt protected configuration files, alter their contents, and then re-encrypt them into a form accepted by the device. This breaks the intended protection of stored or exported configuration data and allows unauthorized manipulation of router settings despite the presence of configuration encryption.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation compromises the confidentiality and integrity of device configuration data. An authenticated attacker can read sensitive router settings from configuration files and modify those settings before re-encrypting them, enabling unauthorized changes to device behavior and network configuration. The provided material does not indicate a direct availability impact, but the ability to alter configuration data could facilitate concealment of malicious changes and broader unauthorized control over router configuration.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting access to router administrative interfaces to trusted management networks and trusted users only, minimizing the number of accounts with login access, and monitoring for unauthorized configuration changes. Because exploitation requires authenticated access, enforcing strong unique credentials, disabling unnecessary management exposure, and reviewing configuration integrity can reduce risk until firmware updates are applied. However, the authoritative fix is to install the vendor firmware updates.

Remediation

Patch, then assume compromise.

Apply the latest TP-Link firmware updates for affected Archer NX models. The provided content states TP-Link fixed CVE-2025-15605 and urged customers to immediately install the latest firmware versions. Affected versions include firmware earlier than the following fixed builds: Archer NX600 v3.0 before 1.3.0 Build 260309; NX600 v2.0 before 1.3.0 Build 260311; NX600 v1.0 before 1.4.0 Build 260311; NX500 v2.0 before 1.5.0 Build 260309; NX500 v1.0 before 1.3.0 Build 260311; NX210 v3.0 before 1.3.0 Build 260309; NX210 v2.0/v2.20 before 1.3.0 Build 260311; NX200 v3.0 before 1.3.0 Build 260309; NX200 v2.0/v2.20 before 1.3.0 Build 260311; and NX200 v1.0 before 1.8.0 Build 260311.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TP-LinkArcher Nx200hardware

TP-LinkArcher Nx200 Firmwareoperating_system

TP-LinkArcher Nx210hardware

TP-LinkArcher Nx210 Firmwareoperating_system

TP-LinkArcher Nx500hardware

TP-LinkArcher Nx500 Firmwareoperating_system

TP-LinkArcher Nx600hardware

TP-LinkArcher Nx600 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

techrepublic com securityNews

Mar 26, 2026

TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password

A vulnerability in TP-Link Archer NX series routers that lets authenticated attackers abuse the router cryptographic key to decrypt, alter, and re-encrypt configuration files, enabling manipulation of router settings and concealment of activity.

security affairsNews

Mar 25, 2026

Patch now: TP-Link Archer NX routers vulnerable to firmware takeover

A hardcoded cryptographic key vulnerability in the TP-Link Archer NX router configuration encryption mechanism that allows authenticated attackers to decrypt, modify, and re-encrypt configuration files.

cvefeed high severityNews

Mar 23, 2026

CVE-2025-15605 - Hardcoded Cryptographic Key in Configuration Encryption Mechanism on TP-Link Archer NX200, NX210, NX500 and NX600

A hardcoded cryptographic key vulnerability in the configuration mechanism of TP-Link Archer NX200, NX210, NX500, and NX600 devices that allows an authenticated attacker to decrypt, modify, and re-encrypt configuration data, impacting confidentiality and integrity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1