CVE-2025-15517 in Archer NX600 v3.0
Summary
by MITRE • 03/23/2026
A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability identified as CVE-2025-15517 represents a critical authentication bypass flaw affecting TP-Link Archer NX200, NX210, NX500, and NX600 wireless routers. This issue stems from insufficient access control mechanisms within the device's HTTP server implementation, specifically targeting certain common gateway interface endpoints. The flaw allows attackers to bypass the required authentication checks and gain access to administrative functions that should only be available to authenticated users. The affected devices operate with a web-based management interface that fails to properly validate user credentials before executing privileged operations. This authentication gap creates a pathway for malicious actors to exploit the router's administrative capabilities without proper authorization.
The technical implementation of this vulnerability manifests through improper input validation and access control enforcement within the HTTP server component of these TP-Link devices. When users attempt to access specific CGI endpoints designed for administrative functions, the system should verify authentication credentials before proceeding with the requested operation. However, the missing authentication check allows any remote attacker to directly access these endpoints and execute administrative commands. The vulnerability specifically impacts firmware upload functionality and configuration operations, which are typically restricted to authenticated administrators. This weakness can be exploited through standard HTTP requests to the affected endpoints, requiring no special tools or privileges beyond network access to the device's management interface.
The operational impact of CVE-2025-15517 extends beyond simple unauthorized access, as it provides attackers with complete control over the affected routers. Once exploited, attackers can upload malicious firmware, modify network configurations, redirect traffic, or establish persistent backdoors within the network infrastructure. This vulnerability directly affects network security posture by enabling attackers to compromise the core networking equipment that protects the entire local network. The implications are particularly severe in enterprise or home network environments where these routers serve as primary gateways, as they can be used to gain access to internal systems, monitor network traffic, or launch further attacks against connected devices. The vulnerability also poses risks to network integrity and availability, as attackers can modify router configurations to disrupt services or create unauthorized network segments.
Security mitigations for this vulnerability should focus on immediate firmware updates from TP-Link, as the vendor has likely released patches addressing the authentication bypass issue. Network administrators should implement network segmentation and access controls to limit exposure of these devices to untrusted networks. Monitoring for unauthorized access attempts and unusual network behavior can help detect exploitation attempts. The vulnerability aligns with CWE-284 Access Control Issues, specifically concerning inadequate access control enforcement in web applications. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as attackers can use the compromised device to establish persistent access and potentially escalate privileges within the network. Organizations should also consider implementing network intrusion detection systems to monitor for exploitation attempts targeting these specific router models and their known vulnerabilities.