TP-Link Archer Routers Vulnerable to Unauthenticated Takeover

TP-Link has released security updates addressing several vulnerabilities in its Archer NX router series, including a critical authentication bypass flaw that allows unauthenticated attackers to upload firmware and modify device configurations remotely. The company is urging customers to update immediately.

The most severe vulnerability, tracked as CVE-2025-15517, stems from missing authentication checks in the router's HTTP server. Attackers can access CGI endpoints intended for authenticated administrators, enabling complete device compromise without knowing any credentials.

Affected Models

The authentication bypass impacts the following TP-Link Archer NX router models:

• Archer NX200
• Archer NX210
• Archer NX500
• Archer NX600

These routers are popular in both home and small business environments, making the vulnerability particularly concerning given the potential scale of affected devices.

What Attackers Can Do

CVE-2025-15517 allows unauthenticated remote attackers to perform privileged HTTP actions including:

• Firmware upload - Attackers can push malicious firmware to the router, establishing persistent access that survives reboots and potentially creating a botnet node
• Configuration modification - DNS settings, firewall rules, and network parameters can be changed to redirect traffic or expose internal networks
• Credential extraction - Router admin passwords and WiFi credentials become accessible

The ability to upload arbitrary firmware is especially dangerous. Router botnets like Kadnap have demonstrated how compromised consumer networking equipment can be weaponized for proxy services, DDoS attacks, and persistent network access.

Additional Vulnerabilities Patched

TP-Link's security update also addresses three other flaws:

CVE-2025-15605 - A hardcoded cryptographic key in the configuration mechanism allows authenticated attackers to decrypt configuration files, modify them, and re-encrypt them. This could enable privilege escalation or persistence even after password changes.

CVE-2025-15518 and CVE-2025-15519 - Command injection vulnerabilities that enable attackers with admin privileges to execute arbitrary system commands. While requiring authentication, these flaws could be chained with the auth bypass for full compromise.

Related Authentication Bypass

A separate vulnerability, CVE-2026-0834, affects TP-Link Archer C20 v6.0 and Archer AX53 v1.0 routers. This flaw allows unauthenticated attackers on the adjacent network to execute administrative commands including factory resets and device reboots without credentials.

While CVE-2026-0834 requires network adjacency rather than internet reachability, it remains concerning for environments where attackers have local network access.

Patch Now

TP-Link has released firmware updates addressing all vulnerabilities. The company "strongly" urged customers to download and install the latest firmware versions, warning that failure to patch leaves systems vulnerable to exploitation.

To update:

1. Visit TP-Link's support portal and locate your specific router model
2. Download the latest firmware version
3. Log into your router's admin interface (typically 192.168.0.1)
4. Navigate to System Tools > Firmware Upgrade
5. Select the downloaded firmware file and apply

Before updating, note that firmware upgrades typically reset custom configurations. Document your current settings if you've made customizations.

Detection Considerations

Organizations should audit their networks for TP-Link Archer NX devices and prioritize patching. Signs of compromise might include:

• Unexpected configuration changes
• Modified DNS settings pointing to unfamiliar servers
• Unknown firmware versions
• Unusual outbound connections from the router

Network monitoring solutions should flag any unauthenticated HTTP requests to router management interfaces, particularly those targeting CGI endpoints.

Why This Matters

Consumer and SOHO routers represent an increasingly attractive target. These devices often lack enterprise security monitoring, receive infrequent updates, and sit at the network perimeter where they can intercept all traffic. The CISA directive on edge device replacement highlighted how legacy network equipment poses systemic risk.

For home users with any of the affected models, patching should be treated as urgent. The combination of unauthenticated access and firmware upload capability means attackers could establish persistent, difficult-to-remove footholds in compromised networks.