Skip to main content

TP-Link Archer AXE75 CVE-2025-15568

HIGH
OS Command Injection (CWE-78)
2026-03-09 f23511db-6c3e-4e32-a477-6aa17d310630
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:22 NVD
8.5 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Mar 09, 2026 - 17:16 nvd
N/A

DescriptionCVE.org

A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap. Successful exploitation results in root-level privileges and impacts confidentiality, integrity and availability of the device.

This issue affects Archer AXE75 v1.6/v1.0: through 1.3.2 Build 20250107.

AnalysisAI

Command injection in TP-Link Archer AXE75 router's web module allows authenticated adjacent-network attackers to execute arbitrary code with root privileges when configured in Access Point mode (sysmode=ap). Affects hardware versions v1.6 and v1.0 running firmware through 1.3.2 Build 20250107. EPSS score of 0.13% (32nd percentile) suggests limited observed exploitation attempts, and no public exploit code or CISA KEV listing identified at time of analysis. Attack requires high-privilege authentication and adjacent network position, limiting opportunistic exploitation but creating significant risk in environments with compromised or malicious insiders.

Technical ContextAI

The vulnerability resides in the web management interface of the TP-Link Archer AXE75 Wi-Fi 6E router, specifically affecting firmware versions through 1.3.2 Build 20250107 on hardware revisions v1.6 and v1.0. The root cause is CWE-78 (OS Command Injection), indicating insufficient input sanitization allows attackers to inject shell metacharacters into system commands executed by the web server process. The conditional requirement of 'sysmode=ap' configuration suggests the vulnerable code path is only exposed when the router operates in Access Point mode rather than default router mode. Command injection vulnerabilities in embedded device web interfaces typically occur when user-supplied parameters from HTTP requests are concatenated into shell commands without proper escaping, allowing attackers to break out of intended command contexts. Success grants root-level access as embedded device web servers commonly run with elevated privileges. The CVSS 4.0 vector indicates subsequent system scope impact (SC:L/SI:L/SA:L), suggesting limited lateral movement beyond the device itself.

RemediationAI

Upgrade to patched firmware version available from TP-Link download centers at https://www.tp-link.com/us/support/download/archer-axe75/v1/ (hardware v1.0) or https://www.tp-link.com/us/support/download/archer-axe75/v1.60/ (hardware v1.6). Released patched version number not independently confirmed from available data-verify current firmware version exceeds 1.3.2 Build 20250107. Prior to patching, implement compensating controls: restrict web management interface access to trusted administrative VLANs only, disable remote management features entirely if not required, implement strong unique administrative passwords, and monitor authentication logs for unauthorized access attempts. If Access Point mode is not operationally required, reconfigure device to router mode to eliminate the sysmode=ap attack prerequisite, though this trades functionality for security. Network segmentation prevents adjacent-network access-isolate AXE75 management interfaces from guest networks, IoT VLANs, and user-accessible segments. Note that disabling web management entirely eliminates the attack surface but requires CLI or mobile app for administration. Consult TP-Link FAQ at https://www.tp-link.com/us/support/faq/5005/ for additional security hardening guidance.

Share

CVE-2025-15568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy