Critical Authentication Bypass (CVE‑2025‑15517) Enables Firmware Takeover in TP‑Link Archer NX Routers
What It Is – TP‑Link disclosed a high‑severity authentication‑bypass flaw (CVE‑2025‑15517, CVSS 8.6) in the Archer NX series that lets an unauthenticated attacker upload arbitrary firmware via a vulnerable CGI endpoint. A second issue (CVE‑2025‑15605, CVSS 8.5) removes a hard‑coded cryptographic key, allowing decryption and re‑encryption of configuration data.
Exploitability – The vulnerability is publicly disclosed, patches are available, and proof‑of‑concept exploits have been shared in the advisory. No active ransomware‑style exploit‑as‑a‑service has been observed, but the attack surface is trivial for network‑adjacent threat actors.
Affected Products – TP‑Link Archer NX 200, NX 210, NX 500, and NX 600 routers across multiple firmware generations (see advisory for exact version thresholds).
TPRM Impact – Any organization that outsources networking to a vendor using these routers faces a supply‑chain risk: compromised firmware can be used to pivot into internal systems, exfiltrate data, or launch lateral attacks against downstream customers.
Recommended Actions –
- Immediately deploy TP‑Link’s firmware updates (≥ 1.3.0 Build 260309 for v3.0, ≥ 1.5.0 Build 260309 for v2.0, etc.).
- Conduct an inventory of Archer NX devices across all third‑party sites and verify firmware signatures.
- Enforce network segmentation for IoT/consumer‑grade routers and restrict outbound HTTP to vendor update servers only.
- Monitor logs for unauthenticated HTTP POSTs to
/cgi-bin/*endpoints and for unexpected firmware version changes. - Review contractual clauses with vendors to require timely patching of network equipment.
Source: Security Affairs – Patch now: TP‑Link Archer NX routers vulnerable to firmware takeover