India's CERT-In Warns of High-Severity TP-Link Router Flaws Affecting Archer NX200, NX210, NX500, and NX600 Models

By Ash K
India's CERT-In Warns of High-Severity TP-Link Router Flaws Affecting Archer NX200, NX210, NX500, and NX600 Models

India's Computer Emergency Response Team (CERT-In) has issued a high-severity warning for multiple vulnerabilities affecting TP-Link Archer NX200, NX210, NX500, and NX600 routers, flaws that could allow attackers to bypass authentication, execute commands, and tamper with device configuration data.

The advisory, tracked as CIVN-2026-0158, says the issues could let an attacker perform unauthorized privileged HTTP actions and potentially modify sensitive configuration data on affected devices. The notice specifically warns of risks to confidentiality, integrity, and availability, underscoring the security impact of flaws in internet-facing edge hardware that often sits at the front line of home and small business networks.

TP-Link has separately published a security advisory confirming the vulnerabilities and urging customers to update to the latest firmware. The company assigned a CVSS v4 score of 8.6 to the authorization bypass flaw and 8.5 to the command injection and hardcoded key issues, classifying all of them as high severity.

The vulnerabilities highlighted in the advisories are below -

  • CVE-2025-15517 - an authorization bypass issue caused by a missing authentication check in certain HTTP server CGI endpoints. TP-Link said the flaw could allow unauthenticated attackers to perform privileged HTTP actions, including firmware uploads and configuration operations.
  • CVE-2026-15518 and CVE-2026-15519 - command injection flaws in administrative CLI paths related to wireless control and modem management. According to TP-Link, an authenticated attacker with administrative privileges could execute arbitrary operating system commands on the device.
  • CVE-2025-15605 - a hardcoded cryptographic key issue in the configuration encryption mechanism that could allow an attacker to decrypt, modify, and re-encrypt router configuration data.

The affected models span multiple hardware revisions. TP-Link said vulnerable versions include Archer NX200, NX210, NX500, and NX600 devices running firmware below patched build thresholds, with affected releases ranging across v1.0, v2.0, v2.20, and v3.0 depending on model. The vendor advisory lists fixed firmware including builds such as 1.8.0 Build 260311 for Archer NX200 v1.0, 1.5.0 Build 260309 for Archer NX500 v2.0, and 1.3.0 Build 260309/260311 for several other hardware variants.

From a practical security perspective, the most concerning flaw is the authorization bypass issue because it lowers the bar for exploitation. If an attacker can reach the vulnerable management interface over the local network, or through unsafe remote exposure, they may be able to perform actions normally reserved for authenticated administrators. That opens the door to configuration abuse, malicious firmware operations, or persistent manipulation of networking settings.

The command injection bugs are also serious because they can give attackers direct operating-system-level control once administrative access is obtained. In real-world terms, that could enable everything from device reconfiguration and traffic interception to persistence and use of the router as a foothold inside the broader network.

The hardcoded key issue introduces a different but still dangerous risk. Router configuration files often contain highly sensitive information, including administrative settings, Wi-Fi details, ISP parameters, and in some cases credentials or secrets used to maintain connectivity. A flaw that allows decryption and trusted re-encryption of those files can let an attacker quietly alter the device state while preserving what appears to be a valid configuration package.

These kinds of vulnerabilities matter because routers are often patched far less consistently than laptops, phones, or servers. Many users deploy them once, leave default management assumptions in place, and only revisit them when internet connectivity breaks. That makes edge devices an attractive target for attackers looking for durable access, traffic visibility, or a way to compromise multiple downstream devices without directly attacking each one.

TP-Link said users should immediately update to the latest available firmware for affected Archer NX-series models. Organizations and individuals should also verify that router administration panels are not unnecessarily exposed, disable remote management unless it is explicitly needed, rotate admin credentials if compromise is suspected, and review configuration integrity after patching.

One small point worth noting is that the public references currently show a numbering inconsistency for two of the command injection issues. CERT-In material shared publicly references CVE-2025-15518 and CVE-2025-15519, while TP-Link's advisory lists them as CVE-2026-15518 and CVE-2026-15519. Until the identifiers are harmonized across databases and advisories, defenders should match on the vulnerability descriptions and affected products rather than relying only on the year embedded in the CVE strings.

Reference Links and Sources

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.