TP-Link’s newest patch fixes a router bug that lets strangers upload firmware without a password—five months after Texas sued the company for claiming its gear was secure.
The flaw, CVE-2025-15517, hits Archer NX200, NX210, NX500, and NX600 models through a missing authentication check in the HTTP server for certain cgi endpoints. According to TP-Link, “an attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.”
In the same firmware drop the vendor excised a hardcoded cryptographic key (CVE-2025-15605) that let authenticated users decrypt, alter, and re-encrypt configuration files, plus two command-injection bugs (CVE-2025-15518 and CVE-2025-15519) that give admin-level code execution.
TP-Link “strongly” recommends installing the latest firmware, warning that “if you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.”
The release follows a September zero-day scramble for other router lines and CISA adding two earlier TP-Link bugs to its Known Exploited Vulnerability catalog after Quad7 botnet activity.
Texas Attorney General Paxton sued TP-Link in February, accusing the company of deceptively marketing routers as secure while Chinese state-sponsored actors allegedly exploited firmware flaws.