TP-Link critical authentication bypass - patch available

OVERKILL

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
63,230
Location
Ontario, Canada
https://www.bleepingcomputer.com/ne...rs-to-patch-critical-router-auth-bypass-flaw/

Quote from the article:
"TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware.

Tracked as CVE-2025-15517, this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges.

"A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users," TP-Link explained earlier this week when it released security updates that address the vulnerability.

"An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations."

TP-Link also removed a hardcoded cryptographic key (CVE-2025-15605) in the configuration mechanism, which allowed authenticated attackers to decrypt configuration files, modify them, and re-encrypt them.

Additionally, it addressed two command injection vulnerabilities (CVE-2025-15518 and CVE-2025-15519) that enable threat actors with admin privileges to execute arbitrary commands."

So, if you own any of the devices listed above:
- NX200
- NX210
- NX500
- NX600

Download and install the updated firmware ASAP.

However, it's important to note that according to the article, two other CVE's:
- CVE-2023-50224
- CVE-2025-9377

are being actively exploited in the wild. It doesn't appear that these are addressed in an update, likely due to the devices affected being "obsolete", which of course doesn't generally stop home and SMB users from using them.

The current list of actively exploited TP link vulnerabilities is covered by CISA and notes the following devices, across 6 exploits:
- TL-WR841N
- Archer C7
- TL-WA855RE
- TL-WR940N V2/V4
- TL-WR841N V8/V10
- TL-WR740 V1/V2
- Archer AX21


So, in short, patch your junk! And if it doesn't have an update available, I'd recommend looking at upgrading.
 
It seems your complaints have been heard, Overkill, though it doesn't affect Canada. The FCC just announced that it has severely curtailed the import of crappy TP-Link and similar Chinese routers due to security concerns. Apparently, a process for getting import waivers will be setup along with some kind of vetting process and it was implied in this Reuters article that the Pentagon (and the US military cyber warfare command I assume) would be involved in the process.

https://www.reuters.com/sustainabil...-routers-citing-security-concerns-2026-03-23/
 
Last edited:
ripcord said:
It seems your complaints have been heard, Overkill, though it doesn't affect Canada. The FCC just announced that it has severely curtailed the import of crappy TP-Link and similar Chinese routers due to security concerns. Apparently, a process for getting import waivers will be setup along with some kind of vetting process and it was implied in this Reuters that the Pentagon (and the US military cyber warfare command I assume) would be involved in the process.

https://www.reuters.com/sustainabil...-routers-citing-security-concerns-2026-03-23/
Click to expand...
Yep, saw that. It's getting mixed reception from the cybersecurity community who see this as heavy handed, while not addressing issues with the products currently in use which are either being actively exploited, or will risk being exploited in the future due to undiscovered vulnerabilities that may not be patched.

This, as I've expounded on in previous exchanges on this subject matter, is a core problem with inexpensive consumer-grade connected electronics. Historically, the "blast radius" for cheap consumer junk was localized. If the inverter on your "Pannymesonic" microwave packed it in, this didn't affect national security. With the advent of connected devices and smart homes, we are now packing homes and businesses with all manner of equally cheap product with no obligation for the manufacturer to ensure, nor maintain, the security of that product through its entire lifecycle, something that can be considerably longer than the period defined by end-of-sale. This produces a near infinite number of potential trojan horses ready to be exploited by bad actors.

The real solution to me appears to be some sort of mandate requiring long-term security support for every connected consumer device that extends well outside of the end-of-sale period. This will drive up prices, but not by a huge amount, and would actually address the issue at hand.
 
OVERKILL said:
Yep, saw that. It's getting mixed reception from the cybersecurity community who see this as heavy handed, while not addressing issues with the products currently in use which are either being actively exploited, or will risk being exploited in the future due to undiscovered vulnerabilities that may not be patched.

This, as I've expounded on in previous exchanges on this subject matter, is a core problem with inexpensive consumer-grade connected electronics. Historically, the "blast radius" for cheap consumer junk was localized. If the inverter on your "Pannymesonic" microwave packed it in, this didn't affect national security. With the advent of connected devices and smart homes, we are now packing homes and businesses with all manner of equally cheap product with no obligation for the manufacturer to ensure, nor maintain, the security of that product through its entire lifecycle, something that can be considerably longer than the period defined by end-of-sale. This produces a near infinite number of potential trojan horses ready to be exploited by bad actors.

The real solution to me appears to be some sort of mandate requiring long-term security support for every connected consumer device that extends well outside of the end-of-sale period. This will drive up prices, but not by a huge amount, and would actually address the issue at hand.
Click to expand...

The worst part is when it is a possibility of real danger vs just inconvenience.

Everyone knows i love EVs but there are so many poor quality EV chargers available online... that's its own issue but the "smart" ones add a far worse layer to this whole thing... that we're dealing with this trash being connected to the internet. Same thing with "smart" power plugs (I'll admit I have some here, around Christmas time we use it for the Christmas tree lights)... this stuff can be exploited to the point that it could cause major damage to property and life. If you have a smart plug connected to something that uses enough current and you "hack" into it and cycle it on and off enough fast enough for long enough you can probably get whatever cheap relay is in there to catch on fire. And with the EV chargers you're dealing with way more power. I'm not saying that EV chargers are unsafe but generic trash ones are, especially when they're connected to the internet.

As the CVEs listed in this thread show and other data online... just because it's name brand doesn't mean it's great/safe either. Perhaps a name brand EV charger that's UL listed is electrically safe... but it can still be compromised. EnelX for example... very popular charging station brand that went belly up. Honda was including these with Prologues! Yes they have a replacement program but most people don't understand such things and will just toss the letter thinking "well, it still works, so why bother..."
 
On a related note, when you bring a retail cable modem to your provider, they control the software version (and config).
 
ripcord said:
It seems your complaints have been heard, Overkill, though it doesn't affect Canada. The FCC just announced that it has severely curtailed the import of crappy TP-Link and similar Chinese routers due to security concerns. Apparently, a process for getting import waivers will be setup along with some kind of vetting process and it was implied in this Reuters article that the Pentagon (and the US military cyber warfare command I assume) would be involved in the process.

https://www.reuters.com/sustainabil...-routers-citing-security-concerns-2026-03-23/
Click to expand...

It’s more than just that. I haven’t bought any Wi-Fi unit made in China. Taiwan or maybe Vietnam. But this new rule is about where it’s designed and assembled not being in the United States. Unless they’re handing out a lot of waivers for manufacturing in Taiwan or Vietnam, I can’t see any new ones coming out for years.
 
ripcord said:
It seems your complaints have been heard, Overkill, though it doesn't affect Canada. The FCC just announced that it has severely curtailed the import of crappy TP-Link and similar Chinese routers due to security concerns. Apparently, a process for getting import waivers will be setup along with some kind of vetting process and it was implied in this Reuters article that the Pentagon (and the US military cyber warfare command I assume) would be involved in the process.

https://www.reuters.com/sustainabil...-routers-citing-security-concerns-2026-03-23/
Click to expand...
Apparently, the FCC ban applies to the sale of new consumer-grade routers manufactured outside the US.

But are there any consumer routers made in the US, other than maybe Starlink?

https://www.wired.com/story/us-government-foreign-made-router-ban-explained/
 
Last edited:
ripcord said:
It seems your complaints have been heard, Overkill, though it doesn't affect Canada. The FCC just announced that it has severely curtailed the import of crappy TP-Link and similar Chinese routers due to security concerns. Apparently, a process for getting import waivers will be setup along with some kind of vetting process and it was implied in this Reuters article that the Pentagon (and the US military cyber warfare command I assume) would be involved in the process.

https://www.reuters.com/sustainabil...-routers-citing-security-concerns-2026-03-23/
Click to expand...
So what is the brand of non price gouging cheap routers we can still buy now? I don't think Linksys, D-Link, ASUS, Acer, etc are that much more secure in the cheaper than $60 department.
 
Quattro Pete said:
Apparently, the FCC ban applies to the sale of new consumer-grade routers manufactured outside the US.

But are there any consumer routers made in the US, other than maybe Starlink?

https://www.wired.com/story/us-government-foreign-made-router-ban-explained/
Click to expand...

Doesn't matter, they are all using the same reference design and reference software to start with and will likely have the same known exploit.

Unless maybe if you pay $500 for a pro-sumer or commercial grade stuff that is overkill. Maybe you can rent a router from Comcast for $10 a month is your own solution without going used router hunting on eBay.
 
PandaBear said:
So what is the brand of non price gouging cheap routers we can still buy now? I don't think Linksys, D-Link, ASUS, Acer, etc are that much more secure in the cheaper than $60 department.
Click to expand...
Well, as of right now, all products that have already been granted an FCC ID can continue to be imported and sold. This new rule only affects new products going forward.
 
OVERKILL said:
Yep, saw that. It's getting mixed reception from the cybersecurity community who see this as heavy handed, while not addressing issues with the products currently in use which are either being actively exploited, or will risk being exploited in the future due to undiscovered vulnerabilities that may not be patched.

This, as I've expounded on in previous exchanges on this subject matter, is a core problem with inexpensive consumer-grade connected electronics. Historically, the "blast radius" for cheap consumer junk was localized. If the inverter on your "Pannymesonic" microwave packed it in, this didn't affect national security. With the advent of connected devices and smart homes, we are now packing homes and businesses with all manner of equally cheap product with no obligation for the manufacturer to ensure, nor maintain, the security of that product through its entire lifecycle, something that can be considerably longer than the period defined by end-of-sale. This produces a near infinite number of potential trojan horses ready to be exploited by bad actors.

The real solution to me appears to be some sort of mandate requiring long-term security support for every connected consumer device that extends well outside of the end-of-sale period. This will drive up prices, but not by a huge amount, and would actually address the issue at hand.
Click to expand...
Comcast, AT&T, etc should be the one responsible for blocking these kind of attack. What is next? Lock down your PC like your workplace do to their own laptop so you cannot run any software you want?

Or what about locking up Linux so people cannot download it and install it on their own PC because of "cyber security"?

Or everyone has to install apps only from Microsoft Store and mandate installation of Windows 11 and upgrade your machine so that you are locked inside a walled garden?
 
PandaBear said:
So what is the brand of non price gouging cheap routers we can still buy now? I don't think Linksys, D-Link, ASUS, Acer, etc are that much more secure in the cheaper than $60 department.
Click to expand...
Skip a couple Starbucks and get a unifi 😁
The new Express is the cheapest all in one
Although technically you could get a cloud gateway ultra and use your old router as a WAP.
 
You must log in or register to reply here.

Similar threads

OVERKILL
Unifi owners - Patch your stuff!
Replies
8
Views
626
Quattro Pete
OVERKILL
Home routers targeted again/still
2 3
Replies
58
Views
2K
MountainManDan
Rand
Still think TP-LINK is a good option for a home router?
Replies
16
Views
2K
OVERKILL
OVERKILL
The dumpster fire that is Fortinet
2
Replies
27
Views
2K
Brons2
OVERKILL
Remote code execution vulnerability in Windows WiFi driver CVE-2024-30078
Replies
7
Views
4K
redhat
Back
Top Bottom