Cyber Resilience

CVE-2025-15605

High

Published: 23 March 2026

Published
23 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 3.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15605 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Tp-Link Archer Nx200. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15605 involves a hardcoded cryptographic key in the configuration mechanism of TP-Link Archer NX200, NX210, NX500, and NX600 routers. This vulnerability enables decryption and re-encryption of device configuration data, compromising its confidentiality and integrity. Published on 2026-03-23, it carries a CVSS 3.1 base score of 7.3 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-798 (Use of Hard-coded Credentials).

An authenticated attacker with low privileges (PR:L) on an adjacent network (AV:A) can exploit this with low complexity and no user interaction. Successful exploitation allows the attacker to decrypt configuration files, make arbitrary modifications, and re-encrypt them, enabling tampering with sensitive data such as network settings, credentials, or administrative configurations.

Mitigation is available through firmware updates provided by TP-Link on their support pages for Archer NX200, NX210, NX500, and NX600 models. Additional details are outlined in TP-Link FAQ 5027.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and…

more

integrity of device configuration data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Why these techniques?

Hardcoded key directly enables config decryption (T1602.002 Network Device Configuration Dump) and exposes unsecured credentials (T1552 Unsecured Credentials).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15517Same product: Tp-Link Archer Nx200
CVE-2025-15519Same product: Tp-Link Archer Nx200
CVE-2025-15518Same product: Tp-Link Archer Nx200
CVE-2024-57040Same vendor: Tp-Link
CVE-2026-0655Same vendor: Tp-Link
CVE-2026-0654Same vendor: Tp-Link
CVE-2025-25901Same vendor: Tp-Link
CVE-2026-0834Same vendor: Tp-Link
CVE-2025-62673Same vendor: Tp-Link
CVE-2026-22229Same vendor: Tp-Link

Affected Assets

tp-link
archer nx600 firmware
≤ 1.3.0 · ≤ 1.3.0 · ≤ 1.4.0
tp-link
archer nx500 firmware
≤ 1.5.0 · ≤ 1.3.0
tp-link
archer nx210 firmware
≤ 1.3.0 · ≤ 1.3.0
tp-link
archer nx200 firmware
≤ 1.3.0 · ≤ 1.3.0 · ≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents exploitation of hardcoded cryptographic keys by requiring secure key establishment, distribution, and management practices in the router's configuration mechanism.

prevent

Mitigates the vulnerability through timely flaw remediation via vendor-provided firmware updates that remove the hardcoded key.

detect

Detects unauthorized modifications to configuration data and firmware through integrity verification mechanisms like cryptographic hashes.

References