CVE-2025-15517: Auth Bypass in TP-Link Archer NX Series
Platform
other
Fixed in
1.3.0 Build 260309
1.3.0 Build 260311
1.4.0 Build 260311
1.5.0 Build 260309
CVE-2025-15517 describes a critical authentication bypass vulnerability discovered in TP-Link Archer NX series routers (NX200, NX210, NX500, and NX600). This flaw allows an attacker to perform privileged HTTP actions without authentication, potentially leading to unauthorized configuration changes and firmware manipulation. The vulnerability impacts devices running versions up to and including 1.8.0 Build 260311, and a fix is available in version 1.8.0 Build 260311.
Impact and Attack Scenarios
The impact of CVE-2025-15517 is significant due to the ease of exploitation and the potential for complete device compromise. An attacker can leverage this vulnerability to upload malicious firmware, effectively bricking the device or installing malware. They can also modify the router's configuration, redirecting traffic, creating backdoors, or stealing sensitive data. This vulnerability presents a serious risk to network security, as a compromised router can serve as a pivot point for attacks against other devices on the network. The ability to perform privileged actions without authentication significantly lowers the barrier to entry for attackers.
Exploitation Context
CVE-2025-15517 was publicly disclosed on 2026-03-23. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation, but the ease of exploitation suggests a potential for medium to high probability of exploitation if a PoC is released. It is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-15517 is to immediately upgrade affected TP-Link Archer NX series routers to firmware version 1.8.0 Build 260311 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the vulnerability, restricting access to the vulnerable CGI endpoints from untrusted networks can provide a layer of defense. Monitor router logs for unusual activity, particularly unauthorized configuration changes or firmware uploads. After upgrading, confirm the fix by attempting to access the vulnerable CGI endpoints without authentication; access should be denied.
How to fix
Update the firmware on your TP-Link Archer NX200, NX210, NX500 or NX600 router to the latest version available on the official TP-Link website. This will correct the authentication bypass vulnerability in the HTTP endpoints and prevent unauthorized access.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-15517 — Auth Bypass in TP-Link Archer NX Series?
CVE-2025-15517 is an authentication bypass vulnerability affecting TP-Link Archer NX200, NX210, NX500, and NX600 routers, allowing unauthorized privileged actions.
Am I affected by CVE-2025-15517 in TP-Link Archer NX Series?
You are affected if you are using a TP-Link Archer NX200, NX210, NX500, or NX600 router running firmware versions ≤1.8.0 Build 260311.
How do I fix CVE-2025-15517 in TP-Link Archer NX Series?
Upgrade your router to firmware version 1.8.0 Build 260311 or later to patch the vulnerability.
Is CVE-2025-15517 being actively exploited?
As of the public disclosure date, there are no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Where can I find the official TP-Link advisory for CVE-2025-15517?
Refer to the TP-Link security advisory for detailed information and firmware updates: [Placeholder - TP-Link Advisory Link]
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.