TP-Link Archer AXE75 CVE-2025-15568
HIGHSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A command injection vulnerability was identified in the web module of Archer AXE75 v1.6/v1.0 router. An authenticated attacker with adjacent-network access may be able to perform remote code execution (RCE) when the router is configured with sysmode=ap. Successful exploitation results in root-level privileges and impacts confidentiality, integrity and availability of the device.
This issue affects Archer AXE75 v1.6/v1.0: through 1.3.2 Build 20250107.
AnalysisAI
Command injection in TP-Link Archer AXE75 router's web module allows authenticated adjacent-network attackers to execute arbitrary code with root privileges when configured in Access Point mode (sysmode=ap). Affects hardware versions v1.6 and v1.0 running firmware through 1.3.2 Build 20250107. EPSS score of 0.13% (32nd percentile) suggests limited observed exploitation attempts, and no public exploit code or CISA KEV listing identified at time of analysis. Attack requires high-privilege authentication and adjacent network position, limiting opportunistic exploitation but creating significant risk in environments with compromised or malicious insiders.
Technical ContextAI
The vulnerability resides in the web management interface of the TP-Link Archer AXE75 Wi-Fi 6E router, specifically affecting firmware versions through 1.3.2 Build 20250107 on hardware revisions v1.6 and v1.0. The root cause is CWE-78 (OS Command Injection), indicating insufficient input sanitization allows attackers to inject shell metacharacters into system commands executed by the web server process. The conditional requirement of 'sysmode=ap' configuration suggests the vulnerable code path is only exposed when the router operates in Access Point mode rather than default router mode. Command injection vulnerabilities in embedded device web interfaces typically occur when user-supplied parameters from HTTP requests are concatenated into shell commands without proper escaping, allowing attackers to break out of intended command contexts. Success grants root-level access as embedded device web servers commonly run with elevated privileges. The CVSS 4.0 vector indicates subsequent system scope impact (SC:L/SI:L/SA:L), suggesting limited lateral movement beyond the device itself.
RemediationAI
Upgrade to patched firmware version available from TP-Link download centers at https://www.tp-link.com/us/support/download/archer-axe75/v1/ (hardware v1.0) or https://www.tp-link.com/us/support/download/archer-axe75/v1.60/ (hardware v1.6). Released patched version number not independently confirmed from available data-verify current firmware version exceeds 1.3.2 Build 20250107. Prior to patching, implement compensating controls: restrict web management interface access to trusted administrative VLANs only, disable remote management features entirely if not required, implement strong unique administrative passwords, and monitor authentication logs for unauthorized access attempts. If Access Point mode is not operationally required, reconfigure device to router mode to eliminate the sysmode=ap attack prerequisite, though this trades functionality for security. Network segmentation prevents adjacent-network access-isolate AXE75 management interfaces from guest networks, IoT VLANs, and user-accessible segments. Note that disabling web management entirely eliminates the attack surface but requires CLI or mobile app for administration. Consult TP-Link FAQ at https://www.tp-link.com/us/support/faq/5005/ for additional security hardening guidance.
More in Archer Axe75 Firmware
View allImproper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent atta
Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product to execute arbitr
Multiple TP-LINK products allow a network-adjacent authenticated attacker with access to the product from the LAN port o
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today