CVE-2025-15519
Published: 23 March 2026
Summary
CVE-2025-15519 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Archer Nx200. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates improper input handling in the modem-management CLI command by enforcing validation to block crafted inputs that enable OS command injection.
Addresses the specific command injection flaw through timely flaw remediation, including application of vendor firmware patches.
Reduces the impact of injected arbitrary OS commands by enforcing least privilege on administrative processes and accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in administrative network device CLI directly enables arbitrary command execution via T1059.008.
NVD Description
Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands…
more
on the operating system, impacting the confidentiality, integrity, and availability of the device.
Deeper analysisAI
CVE-2025-15519 is an improper input handling vulnerability in a modem-management administrative CLI command affecting TP-Link Archer NX200, NX210, NX500, and NX600 routers. The flaw, classified under CWE-78 (OS Command Injection), enables crafted input to be executed as part of an operating system command. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An authenticated attacker with administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary operating system commands on the device, compromising confidentiality, integrity, and availability.
TP-Link advisories direct users to firmware download pages for the affected Archer NX200, NX210, NX500, and NX600 models to apply patches. Additional guidance is available in the support FAQ at https://www.tp-link.com/us/support/faq/5027/.
Details
- CWE(s)