CVE-2025-15541
Unknown Unknown - Not Provided

Improper Link Resolution in VX800v SFTP Causes Data Exposure

Vulnerability report for CVE-2025-15541, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-29

Last updated on: 2026-03-09

Assigner: TPLink

Description

Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-29
Last Modified
2026-03-09
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tp-link vx800v_firmware to 800.0.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-15541 is a vulnerability in the TP-Link VX800v v1.0 device's SFTP service where improper resolution of symbolic links allows authenticated attackers on an adjacent network to craft symbolic links that access sensitive system files. This flaw leads to a high confidentiality impact and a limited integrity risk. [2]

Mitigation Strategies

To mitigate this vulnerability, immediately update the TP-Link VX800v device firmware to the latest version, specifically to version 800.0.11 or later, as the vulnerability affects firmware versions prior to 800.0.11. Ensure that the firmware update is performed using the official TP-Link website, following recommended procedures such as using a stable power source and preferably a wired connection. Additionally, note that by default, services including SFTP are disabled to reduce attack surface, so verify service configurations accordingly. [1, 2]

Compliance Impact

The vulnerability allows authenticated adjacent attackers to access sensitive system files due to improper symbolic link resolution, resulting in a high confidentiality impact. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding of personal and sensitive information. Therefore, failure to mitigate this vulnerability may increase the risk of violating these standards. Users are advised to update to the latest firmware to address this issue. [2, 1]

Impact Analysis

This vulnerability can allow an authenticated attacker with adjacent network access to access sensitive system files on the device by exploiting crafted symbolic links. This results in a high confidentiality impact, meaning sensitive information could be exposed, while the risk to data integrity is limited. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart