Unrated severityNVD Advisory· Published Jan 26, 2026· Updated Feb 26, 2026

Authenticated Command Injection Vulnerability in Archer MR600

CVE-2025-14756

Description

Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise.

Affected products

TP-Link/Archer MR600llm-create
Range: = v5 firmware
TP-Link Systems Inc./Archer MR600 v5.0v5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.tp-link.com/en/support/download/archer-mr600/mitrepatch
www.tp-link.com/jp/support/download/archer-mr600/mitrepatch
www.tp-link.com/us/support/faq/4916/mitrevendor-advisory
jvn.jp/en/vu/JVNVU94651499/mitre
jvn.jp/vu/JVNVU94651499/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000