Critical Auth Bypass (CVE‑2025‑15517) Allows Unauthenticated Firmware Upload on TP‑Link Archer NX Routers
What Happened – TP‑Link released firmware updates for its Archer NX200/210/500/600 series that fix a critical authentication‑bypass flaw (CVE‑2025‑15517) which lets unauthenticated attackers upload arbitrary firmware and change device configuration. The update also removes a hard‑coded cryptographic key (CVE‑2025‑15605) and patches two command‑injection bugs (CVE‑2025‑15518/15519).
Why It Matters for TPRM –
- Unpatched routers can become footholds for lateral movement into corporate networks.
- Firmware compromise defeats endpoint security controls and can expose downstream SaaS and cloud services.
- The flaw is actively exploited in the wild, raising immediate supply‑chain risk for any organization that relies on TP‑Link networking gear.
Who Is Affected – Enterprises, MSPs, and any third‑party that deploys TP‑Link Archer NX routers across sectors such as finance, healthcare, education, and manufacturing.
Recommended Actions –
- Verify that all Archer NX devices have installed the latest TP‑Link firmware (version 1.2.3‑release or later).
- Conduct an inventory of all TP‑Link routers in your environment and enforce a patch‑management schedule.
- Review network segmentation to limit router management interfaces to trusted admin subnets.
- Monitor for anomalous HTTP requests to
/cgi-bin/endpoints and unexpected firmware‑upload traffic.
Technical Notes – The vulnerability stems from a missing authentication check in the router’s embedded HTTP server, enabling unauthenticated HTTP POSTs to privileged CGI endpoints. Exploitation permits firmware upload, configuration changes, and, via related CVEs, decryption of configuration files and arbitrary command execution. A hard‑coded AES key (CVE‑2025‑15605) was also removed. Source: BleepingComputer