CVE-2025-15541
Improper Link Resolution in VX800v SFTP Causes Data Exposure
Publication date: 2026-01-29
Last updated on: 2026-03-09
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | vx800v_firmware | to 800.0.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with adjacent network access to access sensitive system files on the device by exploiting crafted symbolic links. This results in a high confidentiality impact, meaning sensitive information could be exposed, while the risk to data integrity is limited. [2]
Can you explain this vulnerability to me?
CVE-2025-15541 is a vulnerability in the TP-Link VX800v v1.0 device's SFTP service where improper resolution of symbolic links allows authenticated attackers on an adjacent network to craft symbolic links that access sensitive system files. This flaw leads to a high confidentiality impact and a limited integrity risk. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the TP-Link VX800v device firmware to the latest version, specifically to version 800.0.11 or later, as the vulnerability affects firmware versions prior to 800.0.11. Ensure that the firmware update is performed using the official TP-Link website, following recommended procedures such as using a stable power source and preferably a wired connection. Additionally, note that by default, services including SFTP are disabled to reduce attack surface, so verify service configurations accordingly. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated adjacent attackers to access sensitive system files due to improper symbolic link resolution, resulting in a high confidentiality impact. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding of personal and sensitive information. Therefore, failure to mitigate this vulnerability may increase the risk of violating these standards. Users are advised to update to the latest firmware to address this issue. [2, 1]