Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
AnalysisAI
Authenticated command injection in the TP-Link Archer MR600 v5 router allows administrators on the adjacent network to execute arbitrary OS commands via the WireGuard client configuration in the web management interface. The flaw stems from improper neutralization of user-controlled input when configuration changes are applied, enabling full device compromise. No public exploit identified at time of analysis, but TP-Link has released a firmware patch.
Technical ContextAI
The Archer MR600 v5 is a 4G LTE Wi-Fi router from TP-Link Systems Inc. (CPE: cpe:2.3:a:tp-link_systems_inc.:archer_mr600_v5). The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command - 'OS Command Injection'), a common router-firmware weakness where user-supplied configuration parameters are passed unsanitized to shell interpreters or system() calls. In this case, the WireGuard VPN client configuration page in the embedded web UI accepts input that is later concatenated into shell commands when the device applies the new configuration, allowing shell metacharacters (e.g. ;, |, backticks, $(...)) to break out of the intended argument context and execute attacker-chosen commands under the privileges of the configuration daemon - typically root on consumer router firmware.
RemediationAI
Apply the patch available per vendor advisory by upgrading Archer MR600 v5 firmware to the fixed build from https://www.tp-link.com/en/support/download/archer-mr600/v5/#Firmware (the exact fixed version is not enumerated in the provided input - verify the build number against the TP-Link advisory at https://www.tp-link.com/us/support/faq/5122/ before deployment). Until the firmware is applied, restrict who can reach the web management interface by disabling remote (WAN-side) administration if it is not already off, limiting LAN management to a trusted admin VLAN or specific MAC/IP allowlist, and replacing the default or any shared admin password with a strong unique credential - this materially reduces exposure because the bug requires authenticated admin access (PR:H) on the adjacent network (AV:A). If WireGuard is not in use, avoid touching the WireGuard client configuration page; note that none of these workarounds fix the underlying injection, so patching remains the only durable remediation.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35176
GHSA-gx83-77h4-7838