Cyber Resilience

CVE-2025-15035

Medium

Published: 09 January 2026

Published
09 January 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15035 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Tp-Link Archer Axe75 Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-15035 is an Improper Input Validation vulnerability (CWE-20) in the VPN modules of the TP-Link Archer AXE75 router version 1.6. It affects builds up to 20250107 and was published on 2026-01-09 with a CVSS v3.1 base score of 7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

An authenticated adjacent attacker can exploit this issue to delete arbitrary server files, potentially causing loss of critical system files, service interruptions, or degraded functionality. The attack requires low complexity, low privileges, and adjacency to the device, with high impact on integrity and availability but no confidentiality effects.

TP-Link provides firmware downloads for the Archer AXE75 v1 on regional support pages, indicating updates beyond the vulnerable build 20250107 as the primary mitigation. Additional details are available in the Palo Alto Networks disclosure at PANW-2025-0004 on GitHub and a related TP-Link FAQ.

EU & UK References

Vulnerability details

Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6:…

more

≤ build 20250107.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Improper input validation enables authenticated adjacent attacker to perform arbitrary file deletion on the device, directly supporting file deletion for indicator removal and data destruction for availability/integrity impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15568Same product: Tp-Link Archer Axe75
CVE-2026-1315Same vendor: Tp-Link
CVE-2026-0919Same vendor: Tp-Link
CVE-2025-15606Same vendor: Tp-Link
CVE-2026-5509Same vendor: Tp-Link
CVE-2026-1668Same vendor: Tp-Link
CVE-2025-9014Same vendor: Tp-Link
CVE-2026-0655Same vendor: Tp-Link
CVE-2026-22221Same vendor: Tp-Link
CVE-2026-30814Same vendor: Tp-Link

Affected Assets

tp-link
archer axe75 firmware
≤ 1.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the VPN modules before permitting file operations, blocking the arbitrary deletion path in CVE-2025-15035.

prevent

Enforces explicit access-control policy on file-system operations so that even an authenticated adjacent user cannot delete arbitrary server files.

prevent

Limits the privileges granted to adjacent authenticated accounts, reducing the set of files any single VPN-module session can delete.

References