Home

Description

Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise.

PUBLISHED Reserved 2025-12-15 | Published 2026-01-26 | Updated 2026-01-27 | Assigner TPLink




HIGH: 8.5CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

Default status
unaffected

Any version before 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n
affected

Credits

Chuya Hayakawa of 00One, Inc. finder

References

www.tp-link.com/jp/support/download/archer-mr600/ patch

www.tp-link.com/en/support/download/archer-mr600/ patch

www.tp-link.com/us/support/faq/4916/ vendor-advisory

jvn.jp/en/vu/JVNVU94651499/

jvn.jp/vu/JVNVU94651499/

cve.org (CVE-2025-14756)

nvd.nist.gov (CVE-2025-14756)

Download JSON