Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
First published 26 March 2026.
Changelog
| Date | Summary |
|---|---|
| 26 Mar 2026 | First published. |
An unauthenticated HTTP request is enough to push arbitrary firmware to TP-Link’s Archer NX routers. That’s not a configuration issue or a misconfigured deployment edge case. It’s CVE-2025-15517 – a missing authentication check in the HTTP server that allows anyone with network access to hit certain CGI endpoints that should require login.
Affected models: Archer NX200, NX210, NX500, NX600. Patch is out this week.
What the CVEs Actually Are
CVE-2025-15517 is the critical one. The HTTP server fails to enforce authentication on specific CGI endpoints. An attacker can perform privileged HTTP actions without credentials – including uploading firmware and modifying device configuration. No account required. No prior foothold needed. If you can reach the management interface, you own the box.
Three additional CVEs were patched alongside it:
CVE-2025-15605 covered a hardcoded cryptographic key in the configuration mechanism. Authenticated attackers could use it to decrypt configuration files, modify them, and re-encrypt them – effectively rewriting device config with the device’s own key validating the tampered input.
CVE-2025-15518 and CVE-2025-15519 are command injection flaws. These require admin privileges to execute arbitrary commands, so they’re post-exploitation amplifiers rather than initial access vectors.
The combination tells a clear story: unauthenticated access to firmware upload, plus authenticated command injection, plus configuration decryption. A full takeover chain once the first door opens.
Why the Track Record Matters
TP-Link gear accumulates CISA Known Exploited Vulnerabilities entries at a notable rate. Six TP-Link vulnerabilities have landed in the KEV catalog historically. In September 2025, two more were added – CVE-2023-50224 and CVE-2025-9377 – both actively exploited by the Quad7 botnet. Quad7 was specifically targeting TP-Link routers to build a proxy network used for password spraying against Microsoft 365 accounts and other enterprise targets.
That’s not distant history. That’s six months ago, same manufacturer, same class of device, same exploitation pattern: take over the router, route attack traffic through it.
CVE-2025-15517 has no confirmed active exploitation yet. But an unauthenticated firmware upload flaw on consumer routers from a vendor with confirmed botnet targeting history is a recruitment mechanism waiting to be discovered. These flaws get found by researchers. They also get found by the people scanning for them at scale.
The regulatory pressure adds context. Texas AG Paxton sued TP-Link in February, alleging they marketed routers as secure while Chinese state-sponsored groups were exploiting firmware vulnerabilities. The FCC updated its Covered List to include all consumer routers made outside the U.S., banning sales of foreign-manufactured routers going forward. That’s the backdrop against which this patch landed.
What to Do
Check your hardware. If you’re running an Archer NX200, NX210, NX500, or NX600, download and apply the latest firmware from TP-Link’s support site now. TP-Link’s advisory made clear they strongly recommend installing the update immediately and noted they cannot bear responsibility for consequences that could have been avoided by following the advisory.
If the management interface is exposed to the internet – change that regardless of the patch status. Router admin interfaces should not be reachable from outside your network. Patch first, then verify the exposure.
No active exploitation confirmed yet. That window won’t stay open indefinitely.