CVE-2025-14756
Command Injection in TP-Link Archer MR600 Admin Interface
Publication date: 2026-01-26
Last updated on: 2026-03-09
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | archer_mr600_firmware | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the admin interface of the TP-Link Archer MR600 v5 firmware. Authenticated attackers can exploit it by submitting specially crafted input through the browser developer console, allowing them to execute system commands with a limited character length. This can lead to service disruption or full system compromise. [2]
How can this vulnerability impact me? :
The vulnerability can lead to service disruption or full compromise of the affected device. An attacker with authentication can execute system commands, potentially taking control of the device or causing it to stop functioning properly. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the TP-Link Archer MR600 v5 firmware to the latest version, specifically to version 1.1.0 or later, as earlier versions including 0.9.1 v0001.0 Build 250930 Rel.63611n are vulnerable. Applying the firmware update will remediate the command injection flaw and prevent potential exploitation. [2]