CVE-2025-15607

CriticalRCE

Published: 20 March 2026

Published

20 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 54.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15607 is a critical-severity Command Injection (CWE-77) vulnerability in Tp-Link Archer Ax53 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient input handling in mscd debug functionality by requiring validation to prevent command injection via unvalidated file content concatenation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware updates provided by TP-Link to eliminate the command injection vulnerability.

CM-7 Least Functionality partial match

prevent

Minimizes exposure by restricting or prohibiting unnecessary debug functionality like mscd, reducing the attack surface for authenticated command injection.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing router debug service (T1190) leading to remote command injection and shell execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary…

commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device.

Deeper analysisAI

CVE-2025-15607 is a command injection vulnerability in the mscd debug functionality of TP-Link Archer AX53 v1 routers. It arises from insufficient input handling, which allows log redirection to arbitrary files and the concatenation of unvalidated file content into shell commands. Published on 2026-03-20, the vulnerability is classified under CWE-77 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers can exploit this flaw over the network with low complexity and no user interaction required. By manipulating inputs, they can inject arbitrary commands into shell execution, leading to the execution of malicious commands and potentially full control of the device.

TP-Link provides mitigation via updated firmware for Archer AX53 v1, available at https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware, along with additional guidance in their support FAQ at https://www.tp-link.com/us/support/faq/5025/.

Details

CWE(s): CWE-77

Affected Products

tp-link

archer ax53 firmware

1.0

CVEs Like This One

CVE-2025-15608Same product: Tp-Link Archer Ax53

CVE-2026-30814Same product: Tp-Link Archer Ax53

CVE-2026-30818Same product: Tp-Link Archer Ax53

CVE-2025-61944Same product: Tp-Link Archer Ax53

CVE-2026-30815Same product: Tp-Link Archer Ax53

CVE-2025-62404Same product: Tp-Link Archer Ax53

CVE-2025-59487Same product: Tp-Link Archer Ax53

CVE-2025-62405Same product: Tp-Link Archer Ax53

CVE-2025-59482Same product: Tp-Link Archer Ax53

CVE-2025-58077Same product: Tp-Link Archer Ax53

References

https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/5025/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630