Cyber Resilience

CVE-2025-15519

High

Published: 23 March 2026

Published
23 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0062 45.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15519 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Nx200. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15519 is an improper input handling vulnerability in a modem-management administrative CLI command affecting TP-Link Archer NX200, NX210, NX500, and NX600 routers. The flaw, classified under CWE-78 (OS Command Injection), enables crafted input to be executed as part of an operating system command. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary operating system commands on the device, compromising confidentiality, integrity, and availability.

TP-Link advisories direct users to firmware download pages for the affected Archer NX200, NX210, NX500, and NX600 models to apply patches. Additional guidance is available in the support FAQ at https://www.tp-link.com/us/support/faq/5027/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands…

more

on the operating system, impacting the confidentiality, integrity, and availability of the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection in administrative network device CLI directly enables arbitrary command execution via T1059.008.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15518Same product: Tp-Link Archer Nx200
CVE-2026-22224Same vendor: Tp-Link
CVE-2025-15517Same product: Tp-Link Archer Nx200
CVE-2025-15605Same product: Tp-Link Archer Nx200
CVE-2026-22222Same vendor: Tp-Link
CVE-2026-3841Same vendor: Tp-Link
CVE-2025-6542Same vendor: Tp-Link
CVE-2026-30815Same vendor: Tp-Link
CVE-2026-0631Same vendor: Tp-Link
CVE-2026-30818Same vendor: Tp-Link

Affected Assets

tp-link
archer nx600 firmware
≤ 1.3.0 · ≤ 1.3.0 · ≤ 1.4.0
tp-link
archer nx500 firmware
≤ 1.5.0 · ≤ 1.3.0
tp-link
archer nx210 firmware
≤ 1.3.0 · ≤ 1.3.0
tp-link
archer nx200 firmware
≤ 1.3.0 · ≤ 1.3.0 · ≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates improper input handling in the modem-management CLI command by enforcing validation to block crafted inputs that enable OS command injection.

prevent

Addresses the specific command injection flaw through timely flaw remediation, including application of vendor firmware patches.

prevent

Reduces the impact of injected arbitrary OS commands by enforcing least privilege on administrative processes and accounts.

References