CVE-2025-14756

Authenticated Command Injection Vulnerability in Archer MR600

CVSS 8.5 HIGHEPSS 2.7%CWE-77

In short

An authenticated attacker can inject and execute system commands on the TP-Link Archer MR600 router through the admin interface, potentially disrupting services or taking control of the device.

Technical detail

Command injection vulnerability in the admin interface of TP-Link Archer MR600 v5 allows authenticated attackers to execute arbitrary system commands via crafted input submitted through the browser developer console; successful exploitation requires prior authentication and is subject to character length restrictions, but can lead to complete device compromise or denial of service.

Summary generated and translated by AI from the official description.

Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise.

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

TP-Link Systems Inc. · Archer MR600 v5.0

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://jvn.jp/en/vu/JVNVU94651499/https://jvn.jp/vu/JVNVU94651499/https://www.tp-link.com/en/support/download/archer-mr600/#Firmware https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware https://www.tp-link.com/us/support/faq/4916/