High

Command Injection in TP-Link Archer NX wireless-control administrative CLI

IdentifiersCVE-2025-15518CWE-78· Improper Neutralization of Special…

CVE-2025-15518 is a command injection vulnerability affecting TP-Link Archer NX200, NX210, NX500, and NX600 routers. The flaw is caused by improper input handling in a wireless-control administrative CLI command, where crafted input is incorporated into an operating system command without sufficient sanitization or neutralization. As a result, an authenticated attacker who already has administrative privileges can cause arbitrary commands to be executed on the underlying operating system of the device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary operating system command execution on the affected router. This can compromise the confidentiality, integrity, and availability of the device, including unauthorized access to sensitive router data and configuration, modification of system or network settings, installation of persistent changes, and disruption of router operation or connected network services.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the administrative CLI and management interfaces to trusted administrators only, limit management exposure to isolated internal networks, disable any unnecessary remote administration paths, and monitor for unexpected administrative activity or command execution on affected devices. Because exploitation requires authenticated administrative access, reducing and tightly controlling admin access materially lowers exposure until firmware updates can be applied.

Remediation

Patch, then assume compromise.

Apply the vendor-provided firmware updates for affected TP-Link Archer NX200, NX210, NX500, and NX600 devices. TP-Link has released patches for this vulnerability and advised customers to immediately install the latest firmware versions referenced in the vendor support and firmware download pages.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TP-LinkArcher Nx200hardware

TP-LinkArcher Nx200 Firmwareoperating_system

TP-LinkArcher Nx210hardware

TP-LinkArcher Nx210 Firmwareoperating_system

TP-LinkArcher Nx500hardware

TP-LinkArcher Nx500 Firmwareoperating_system

TP-LinkArcher Nx600hardware

TP-LinkArcher Nx600 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

techrepublic com securityNews

Mar 26, 2026

TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password

A command execution vulnerability in TP-Link Archer NX series routers that allows attackers to execute malicious commands in admin mode.

cvefeed high severityNews

Mar 23, 2026

CVE-2025-15518 - Command Injection in Wireless Control CLI on TP-Link Archer NX200, NX210, NX500 and NX600

An authenticated command injection vulnerability in a wireless-control administrative CLI command affecting multiple TP-Link Archer router models, allowing administrative users to execute arbitrary operating system commands.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-15518

NVD

nvd.nist.gov/vuln/detail/CVE-2025-15518

MITRE CWE · CWE-78

Improper Neutralization of Special Elements…

Vendor Advisory

tp-link.com/us/support/faq/5027

Product

tp-link.com/en/support/download/archer-nx200

Product

tp-link.com/en/support/download/archer-nx210

Product

tp-link.com/en/support/download/archer-nx500

Product

tp-link.com/en/support/download/archer-nx600