CVE-2025-14756
Published: 26 January 2026
Summary
CVE-2025-14756 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Archer Mr600 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of all inputs to the admin interface, blocking crafted inputs from reaching system command execution.
Mandates timely flaw remediation through firmware updates, eliminating the specific command injection vulnerability as recommended by TP-Link.
Enforces least privilege on authenticated admin accounts, limiting the scope and impact of any successfully injected system commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection (CWE-77) in a public-facing web admin interface (AV:N), enabling remote exploitation (T1190) to execute arbitrary system (Unix shell) commands (T1059.004).
NVD Description
Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service…
more
disruption or full compromise.
Deeper analysisAI
CVE-2025-14756 is a command injection vulnerability (CWE-77) discovered in the admin interface component of TP-Link Archer MR600 v5 firmware. Published on 2026-01-26, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw enables authenticated attackers to execute system commands via crafted input in the browser developer console, though with a limited character length.
An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation allows injection and execution of system commands, potentially resulting in service disruption or full compromise of the affected device.
Advisories from the Japan Vulnerability Notes (JVN) provide further details at https://jvn.jp/en/vu/JVNVU94651499/ and https://jvn.jp/vu/JVNVU94651499/. TP-Link recommends applying updated firmware, available for download at https://www.tp-link.com/en/support/download/archer-mr600/#Firmware, https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware, and https://www.tp-link.com/us/support/faq/4916/.
Details
- CWE(s)