TP-Link Warns Users to Patch Critical Router Authentication Bypass Vulnerability

TP-Link has released security patches addressing multiple vulnerabilities in its Archer NX router series, with particular emphasis on a critical-severity authentication bypass flaw that could enable attackers to upload malicious firmware without authorization.

The most severe vulnerability, designated CVE-2025-15517, affects Archer NX200, NX210, NX500, and NX600 wireless routers. This security weakness originates from insufficient authentication controls that permit unauthorized access to privileged functions.

According to TP-Link's security advisory released earlier this week, "A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations."

The company addressed additional security concerns in the same update, including the removal of a hardcoded cryptographic key vulnerability (CVE-2025-15605) that allowed authenticated attackers to decrypt, modify, and re-encrypt configuration files. Two command injection vulnerabilities (CVE-2025-15518 and CVE-2025-15519) were also resolved, which previously enabled threat actors with administrative privileges to execute arbitrary system commands.

TP-Link has issued a strong recommendation for immediate action, urging customers to download and install the latest firmware version to prevent potential exploitation. The company emphasized the critical nature of these updates, stating: "If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory."

Pattern of Security Challenges

This latest security update follows previous incidents that have highlighted ongoing vulnerabilities in TP-Link's router ecosystem. In September, the company was compelled to expedite patches for a zero-day vulnerability affecting multiple router models, following an extended delay after the initial security report in May 2024. The unpatched vulnerability had enabled attackers to intercept unencrypted traffic, redirect DNS queries to malicious servers, and inject harmful content into web sessions.

The Cybersecurity and Infrastructure Security Agency (CISA) has demonstrated particular concern regarding TP-Link vulnerabilities, adding two additional flaws (CVE-2023-50224 and CVE-2025-9377) to its Known Exploited Vulnerability catalog in September. These vulnerabilities have been actively exploited by the Quad7 botnet to compromise vulnerable router installations.

CISA's monitoring reveals six TP-Link vulnerabilities with confirmed exploitation activity, including a directory traversal vulnerability (CVE-2015-3035) affecting multiple Archer devices that dates back to 2015.

The security concerns have extended beyond technical vulnerabilities to legal challenges. In February, Texas Attorney General Paxton filed a lawsuit against TP-Link Systems, alleging deceptive marketing practices regarding router security capabilities while simultaneously allowing Chinese state-sponsored threat groups to exploit firmware vulnerabilities for unauthorized device access.

These developments underscore the importance of maintaining current firmware on network infrastructure devices and the critical role of timely security updates in protecting against emerging threats.