TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password
TP-Link just patched a flaw that let attackers push rogue firmware onto your router without a password.
The latest TP-Link patch addresses multiple critical vulnerabilities in the Archer NX router series, specifically the NX200, NX210, NX500, and NX600 models. The flaws allowed attackers to bypass authentication and manipulate the routers without permission, potentially exposing connected devices and networks to unauthorized access.
Security researchers at the Cybersecurity and Infrastructure Security Agency (CISA) have flagged several of these vulnerabilities, highlighting the risks they pose to both home and small business users who rely on these routers for daily operations. In response, TP-Link patched them all and has urged all owners of affected devices to immediately install the updates or bear the potential consequences of not heeding their notice.
What went wrong?
Several vulnerabilities were found in the above-mentioned router models. According to BleepingComputer, a flaw, CVE-2025-15517, allows attackers to exploit a missing authentication check. Because of this, an attacker could easily access certain CGI endpoints reserved for logged-in users only.
Another flaw, tagged as CVE-2025-15605, was fixed. This vulnerability allowed logged-in attackers to abuse the router’s cryptographic key to decrypt, modify, and re-encrypt configuration files. Effectively, this gives the attacker the ability to read router settings, manipulate the network, and cover their tracks, making it hard to expel them.
Two more vulnerabilities were also patched: CVE-2025-15518 and CVE-2025-15519. They both allow an attacker to execute malicious commands in admin mode. Aside from these two, CISA added two more to its Known Exploited Vulnerability category: CVE-2023-50224 and CVE-2025-9377, bringing the total number of TP-Link flaws CISA has flagged to six.
Amid ongoing security concerns, Texas Attorney General Ken Paxton filed a lawsuit against the company in February. He claimed the company was misleading US consumers by labeling its routers as “Made in Vietnam” despite sourcing virtually all its components from China.
Paxton argued that the distinction matters because Chinese law can compel companies with ties to the country’s supply chain to submit users’ data to Chinese intelligence agencies, raising concerns about potential access to user data. The lawsuit also cites a history of security lapses, including firmware vulnerabilities that have been exploited by Chinese hacking groups.
Why this patch matters
Routers are not just any device. The sit between a user’s traffic and its destination, helping direct it through the right path. Because they play an important role in internet communication, a successful exploit on routers can have far-reaching consequences.
For example, in September of last year, an unpatched vulnerability, first disclosed in May 2024, was reported to have caused remote code execution via buffer overflows, prompting TP-Link to issue an immediate fix for US customers.
Given their importance, the US government, through its relevant agencies, informs users of any such flaws.
Just this Monday, the Federal Communications Commission (FCC) announced its move to ban the sale of new foreign-made routers. Citing what the White House sees as risks to National Security, the commission noted it will include these routers in its Covered List. However, the ban does not prevent these router manufacturers from seeking US approval, provided they are transparent.
What you must do
According to BleepingComputer, TP-Link has urged customers to install the latest firmware to get the patch immediately. Quoting the company, the report reads: “If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.”
To get the latest update, check this YouTube video guide if you are new to it, or check out TP-Link’s support page.
Also read: A fresh roundup of security flaws this month shows how quickly overlooked infrastructure bugs can turn into serious enterprise risks.
About Author
