Skip to main content

TP-Link Archer MR600 CVE-2026-8913

| EUVDEUVD-2026-35176 HIGH
OS Command Injection (CWE-78)
2026-06-08 TPLink GHSA-gx83-77h4-7838
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 18:31 vuln.today
CVSS changed
Jun 08, 2026 - 18:22 NVD
8.5 (HIGH)

DescriptionCVE.org

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.

AnalysisAI

Authenticated command injection in the TP-Link Archer MR600 v5 router allows administrators on the adjacent network to execute arbitrary OS commands via the WireGuard client configuration in the web management interface. The flaw stems from improper neutralization of user-controlled input when configuration changes are applied, enabling full device compromise. No public exploit identified at time of analysis, but TP-Link has released a firmware patch.

Technical ContextAI

The Archer MR600 v5 is a 4G LTE Wi-Fi router from TP-Link Systems Inc. (CPE: cpe:2.3:a:tp-link_systems_inc.:archer_mr600_v5). The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command - 'OS Command Injection'), a common router-firmware weakness where user-supplied configuration parameters are passed unsanitized to shell interpreters or system() calls. In this case, the WireGuard VPN client configuration page in the embedded web UI accepts input that is later concatenated into shell commands when the device applies the new configuration, allowing shell metacharacters (e.g. ;, |, backticks, $(...)) to break out of the intended argument context and execute attacker-chosen commands under the privileges of the configuration daemon - typically root on consumer router firmware.

RemediationAI

Apply the patch available per vendor advisory by upgrading Archer MR600 v5 firmware to the fixed build from https://www.tp-link.com/en/support/download/archer-mr600/v5/#Firmware (the exact fixed version is not enumerated in the provided input - verify the build number against the TP-Link advisory at https://www.tp-link.com/us/support/faq/5122/ before deployment). Until the firmware is applied, restrict who can reach the web management interface by disabling remote (WAN-side) administration if it is not already off, limiting LAN management to a trusted admin VLAN or specific MAC/IP allowlist, and replacing the default or any shared admin password with a strong unique credential - this materially reduces exposure because the bug requires authenticated admin access (PR:H) on the adjacent network (AV:A). If WireGuard is not in use, avoid touching the WireGuard client configuration page; note that none of these workarounds fix the underlying injection, so patching remains the only durable remediation.

Share

CVE-2026-8913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy