Master Keys and Open Backdoors: TP-Link Issues Urgent Patch for Archer NX-Series Routers

In a major security alert, TP-Link has released a series of critical firmware updates to patch several high-severity vulnerabilities affecting its popular Archer NX-series routers. These flaws, which impact the NX200, NX210, NX500, and NX600 models, could allow attackers to bypass authentication, inject malicious commands, or even tamper with encrypted device configurations.

The advisory highlights a mix of flaws that, if left unpatched, could give an intruder total control over a home or small business network.

The most critical issue, tracked as CVE-2025-15517 (CVSS 8.6), involves a breakdown in the HTTP server’s security. Researchers found that certain administrative endpoints were essentially left wide open, lacking proper identity checks.

“A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users,” the advisory warns. This means a remote attacker could “perform privileged HTTP actions without authentication,” including uploading malicious firmware or silently modifying the router’s entire configuration.

The security team also uncovered two “Command Injection” vulnerabilities (CVE-2026-15518 & CVE-2026-15519) hidden within the router’s command-line interface (CLI) for wireless control and modem management.

These flaws stem from “improper input handling in an administrative CLI command,” which allows malicious code to be executed directly as part of a system-level command. While this requires an attacker to have administrative privileges first, it allows them to “execute arbitrary commands on the operating system,” threatening the “confidentiality, integrity and availability of the device”.

Finally, CVE-2025-15605 is a discovery of a hardcoded cryptographic key within the router’s encryption mechanism.

This key is used to protect device configuration data, but because it is hardcoded, it acts as a universal master key. An authenticated attacker could leverage this to “decrypt configuration files, modify them and re-encrypt them,” allowing them to change sensitive settings without the user ever knowing.

TP-Link has moved aggressively to release patches for the following hardware and firmware versions:

• Archer NX600: Updates required for v1.0, v2.0, and v3.0.
• Archer NX500: Updates required for v1.0 and v2.0.
• Archer NX210: Updates required for v2.0, v2.20, and v3.0.
• Archer NX200: Updates required for v1.0, v2.0, v2.20, and v3.0.

TP-Link “strongly recommend that users with affected devices” take immediate action to secure their hardware.

• Download the Fix: Visit the official TP-Link support pages for your specific model.
• Update Firmware: Use the router’s management interface to apply the latest build immediately.