The Dark Side of DDoS: Why DDoS Downtime is Harder to Prevent
Patch now: TP-Link Archer NX routers vulnerable to firmware takeover
March 25, 2026 
TP-Link patched a high severity flaw (CVE-2025-15517) in Archer NX routers that could let attackers bypass authentication and install malicious firmware.
TP-Link issued security updates for its Archer NX router series to fix multiple vulnerabilities, including CVE-2025-15517 (CVSS score of 8.6), a critical authentication bypass flaw. The vulnerability impacts multiple models, including NX200, NX210, NX500, and NX600. The flaw allows attackers to upload new firmware without privileges, creating a high risk of compromise if unpatched.
“A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users.” reads the advisory. “An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.”
TP-Link also removed a hardcoded cryptographic key in Configuration Encryption Mechanism, tracked as CVE-2025-15605 (CVSS score of 8.5). The vulnerability allowed authenticated attackers to decrypt configuration files, modify them, and re-encrypt them.
“A hardcoded cryptographic key within its configuration mechanism enables decryption and re-encryption of device configuration data.” reads the advisory. “An authenticated attacker may decrypt configuration files, modify them and re-encrypt them, affecting confidentiality and integrity of device configuration data.”
Below is the list of impacted products/versions and related fixes:
| Affected Product | Affected Hardware Versions / Firmware Versions |
| Archer NX600 | • v3.0: < 1.3.0 Build 260309 • v2.0: < 1.3.0 Build 260311 • v1.0: < 1.4.0 Build 260311 |
| Archer NX500 | • v2.0: < 1.5.0 Build 260309 • v1.0: < 1.3.0 Build 260311 |
| Archer NX210 | • v3.0: < 1.3.0 Build 260309 • v2.0 & v2.20: < 1.3.0 Build 260311 |
| Archer NX200 | • v3.0: < 1.3.0 Build 260309 • v2.20: < 1.3.0 Build 260311 • v2.0: < 1.3.0 Build 260311 • v1.0: < 1.8.0 Build 260311 |
The vendor urges customers to download and install the latest firmware version to address these issues.
In September 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these flaws:
- CVE-2025-9377 (CVSS score of 8.6) TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
- CVE-2023-50224 (CVSS score of 6.5) TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
This week, the U.S. FCC announced a ban on importing new foreign-made consumer routers, citing unacceptable cyber and national security risks. The decision, backed by Executive Branch assessments, means such devices can no longer be sold or marketed in the U.S. unless they receive special approval.
Routers will be added to the Covered List, with exceptions only for those cleared by the Department of Homeland Security or defense authorities after the Department of Homeland Security or defense authorities verify they pose no threat to communications networks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Archer NX)
About Author
