CVE-2025-15517
Published: 23 March 2026
Summary
CVE-2025-15517 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Tp-Link Archer Nx200. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly addressing the missing authentication check on privileged CGI endpoints.
Explicitly identifies and authorizes only specific actions without identification or authentication while monitoring unauthorized use, preventing unintended unauthenticated access to firmware upload and configuration operations.
Requires timely identification, reporting, and correction of flaws like the missing authentication check via firmware updates provided by the vendor.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication in HTTP server CGI endpoints enables unauthenticated attackers to exploit public-facing router web application for privileged actions like firmware uploads and configuration changes.
NVD Description
A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and…
more
configuration operations.
Deeper analysisAI
CVE-2025-15517, published on 2026-03-23, is a missing authentication check vulnerability (CWE-306) in the HTTP server of TP-Link Archer NX200, NX210, NX500, and NX600 routers. The flaw affects certain CGI endpoints, enabling unauthenticated access to features intended exclusively for authenticated users. It carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An unauthenticated attacker on an adjacent network can exploit this low-complexity vulnerability without user interaction. Exploitation allows performance of privileged HTTP actions, such as firmware uploads and configuration operations, resulting in high confidentiality and integrity impacts.
TP-Link provides firmware updates for mitigation on dedicated support download pages for the Archer NX200, NX210, NX500, and NX600 models, along with additional guidance in their FAQ at https://www.tp-link.com/us/support/faq/5027/.
Details
- CWE(s)