EUVD-2025-208939
GHSA-6mq5-gjcx-rvxq
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device.
Analysis
A command injection vulnerability exists in the wireless-control administrative CLI command of TP-Link Archer NX series routers (models NX200, NX210, NX500, and NX600) due to improper input handling that allows crafted input to be executed as part of operating system commands. An authenticated attacker with administrative privileges can exploit this vulnerability to execute arbitrary commands on the device, compromising confidentiality, integrity, and availability. Patches are available from the vendor for all affected models and versions.
Technical Context
The vulnerability is a classic OS command injection flaw (CWE-78: Improper Neutralization of Special Elements used in an OS Command) in the administrative CLI interface of TP-Link's wireless-control management component. The affected products are TP-Link Archer NX series routers spanning multiple hardware revisions: Archer NX200 (versions 2.0, 2.20, 3.0), Archer NX210 (versions 2.0/2.20, 3.0), Archer NX500 (versions 1.0, 2.0), and Archer NX600 (versions 1.0, 2.0, 3.0), as documented in the CPE identifiers provided. The root cause stems from insufficient input validation in the wireless-control administrative command parsing logic, where user-supplied input is concatenated into system commands without proper escaping or sanitization, allowing attackers to inject arbitrary shell metacharacters and execute privileged commands with device-level access.
Affected Products
TP-Link Archer NX series routers are affected across four hardware models with multiple firmware versions. The Archer NX200 is vulnerable in versions 2.0, 2.20, and 3.0; the Archer NX210 in versions 2.0/2.20 and 3.0; the Archer NX500 in versions 1.0 and 2.0; and the Archer NX600 in versions 1.0, 2.0, and 3.0. These products are identified via CPE identifiers in the format cpe:2.3:a:tp-link_systems_inc.:archer_nx[model]_v[version]:*:*:*:*:*:*:*:*. Patch availability has been confirmed by the vendor, with firmware updates available at the official TP-Link support pages: https://www.tp-link.com/en/support/download/archer-nx200/#Firmware, https://www.tp-link.com/en/support/download/archer-nx210/#Firmware, https://www.tp-link.com/en/support/download/archer-nx500/#Firmware, and https://www.tp-link.com/en/support/download/archer-nx600/#Firmware. Additionally, TP-Link has published an advisory at https://www.tp-link.com/us/support/faq/5027/.
Remediation
Immediately download and apply the latest firmware patches from TP-Link's support website for your specific Archer NX model and current firmware version. Visit the model-specific firmware download pages (https://www.tp-link.com/en/support/download/archer-nx200/#Firmware for NX200, and similar URLs for NX210, NX500, and NX600) and upgrade to the latest available firmware release, which contains the command injection fix. If immediate patching is not possible, implement compensating controls by restricting administrative access to trusted network segments only, disabling remote management features where feasible, and ensuring strong authentication mechanisms (unique, complex administrative passwords) are enforced. Additionally, monitor administrative CLI command logs for suspicious activity or unusual command patterns. Once patched, verify the firmware version in the device's web interface to confirm successful application of the security update.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today