CVE-2025-15517 is an authorization bypass in the HTTP server of four TP-Link Archer NX router lines. Certain CGI endpoints fail to enforce authentication, meaning an attacker who can reach the management interface can invoke functions intended only for logged-in administrators. The documented impact from TP-Link and NVD includes firmware upload and configuration operations without credentials.
NVD maps this to CWE-306: Missing Authentication for Critical Function. The vendor CVSS v4.0 score is 8.6 / High, with vector AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N.
The CVE was published March 23, 2026, and TP-Link's advisory was last updated March 25, 2026.
Why the "High" Score Still Means Near-Total Compromise
The CVSS vector includes AV:A, adjacent network, which is why the score lands at High rather than Critical. This is not internet-wide exploitation by default. The attacker needs to be on the same local network segment, or reach the management interface through poor network design such as guest Wi-Fi, bridged LANs, ISP-managed access paths, or an enabled remote administration feature.
That adjacency constraint is the only reason this is not a 10.0. The actual outcome of successful exploitation is unauthenticated firmware upload, which in practice means full device takeover. An attacker who can push arbitrary firmware controls everything the router does: DNS resolution, traffic routing, NAT rules, and any credentials or sessions passing through it. The effective impact is total, even if the delivery mechanism requires network proximity.
Affected Hardware and Fixed Builds
TP-Link also notes these products are not sold in the US, which matters for geographic exposure scoping.
Archer NX600 - v3.0: fixed in 1.3.0 Build 260309 - v2.0: fixed in 1.3.0 Build 260311 - v1.0: fixed in 1.4.0 Build 260311
Archer NX500 - v2.0: fixed in 1.5.0 Build 260309 - v1.0: fixed in 1.3.0 Build 260311
Archer NX210 - v3.0: fixed in 1.3.0 Build 260309 - v2.0 / v2.20: fixed in 1.3.0 Build 260311
Archer NX200 - v3.0: fixed in 1.3.0 Build 260309 - v2.20: fixed in 1.3.0 Build 260311 - v2.0: fixed in 1.3.0 Build 260311 - v1.0: fixed in 1.8.0 Build 260311
Part of a Larger Advisory Cluster
CVE-2025-15517 was disclosed alongside three other vulnerabilities in the same hardware lines:
- CVE-2025-15518 — command injection, requires authenticated admin access
- CVE-2025-15519 — command injection, requires authenticated admin access
- CVE-2025-15605 — hardcoded cryptographic key affecting configuration encryption
The right posture is not to patch only the authentication bypass and stop. The same firmware update resolves all four. If you patch selectively, you close the unauthenticated entry point but leave the configuration encryption weakness and the command injection paths open to any compromised admin session.
What to Do
If you can patch now: Update to the fixed build for your exact hardware version and variant. TP-Link explicitly recommends updating to the latest firmware.
After patching: Rotate admin credentials. Review for signs of tampering, especially if the device had reachable management endpoints before the fix. Because firmware upload is listed as an achievable impact, treat any previously exposed router as potentially fully compromised until you can confirm otherwise.
If you cannot patch immediately: At minimum, restrict management access to a trusted wired segment, disable any remote administration features, and isolate the device from less-trusted clients such as guest networks. The AV:A vector means network segmentation directly reduces your exposure while you wait for a maintenance window.
The cluster of four CVEs in one advisory is also a signal. When a vendor patches this many issues in one release across a single product family, the right assumption is that the security review went deep. Update the complete firmware, not just the headline CVE.
Sources: [NVD — CVE-2025-15517](https://nvd.nist.gov/vuln/detail/CVE-2025-15517) · [NVD — CVE-2025-15518](https://nvd.nist.gov/vuln/detail/CVE-2025-15518) · [NVD — CVE-2025-15605](https://nvd.nist.gov/vuln/detail/CVE-2025-15605)