Router Takeover: High-Severity Command Injection Flaw Hits TP-Link Archer MR600

TP-Link has issued a security advisory for its popular Archer MR600 4G+ LTE router, warning of a high-severity vulnerability that could allow attackers to seize control of the device. The flaw, tracked as CVE-2025-14756, carries a CVSS score of 8.5, indicating a significant risk to network integrity if left unpatched.

The vulnerability is an Authenticated Command Injection flaw residing within the router’s web-based management interface.

The issue lies in how the router handles input in its admin panel. Typically, administrative interfaces are designed to restrict users to specific, safe actions. However, security researchers discovered that the Archer MR600 v5 firmware failed to properly sanitize inputs in a specific area accessible via browser developer tools.

According to the advisory, a “Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console”.

This means that an attacker who has already logged into the router—perhaps by guessing a weak password or using default credentials—can go beyond standard admin privileges. By injecting malicious commands directly into the system, they can bypass restrictions.

While the vulnerability requires authentication, the potential damage is severe. It transforms a standard administrative session into a root-level takeover.

TP-Link warns that exploiting this flaw doesn’t just crash the router; it opens the door to total control. “The vulnerability allows an authenticated attacker to inject system commands via the admin interface, leading to service disruption or full compromise”.

The vulnerability specifically impacts the Archer MR600 v5. Users running firmware versions older than 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n are exposed and should upgrade immediately.

TP-Link has released a patched firmware version to close this security gap. “We strongly recommend that users with affected devices take the following actions: Download and update to the latest firmware version to fix the vulnerabilities”.

Users can download the update directly from the TP-Link support page to secure their networks against this command injection threat.

Related Posts:

• TP-Link Archer C50 (EOL) Exposed: Hardcoded DES Key Allows Sensitive Config Decryption (CVE-2025-6982)
• PoC Available: TP-Link Archer AX50 Flaw Allows Remote Root Access
• CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
• Congress Scrutinizes TP-Link Routers Over Cybersecurity Concerns
• CISA Warns: Actively Exploited TP-Link Router Flaws Added to KEV Catalog