CVE-2025-14756

8.8 HIGH
Published: January 26, 2026 Modified: March 09, 2026
View on NVD

Description

Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://jvn.jp/en/vu/JVNVU94651499/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Third Party Advisory
https://jvn.jp/vu/JVNVU94651499/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Third Party Advisory
https://www.tp-link.com/en/support/download/archer-mr600/#Firmware
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/us/support/faq/4916/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Vendor Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.8 / 10.0
EPSS (Exploit Probability)
0.3%
51th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-77

Affected Vendors

tp-link

Related CVEs

CVE-2026-4558 8.8
CVE-2026-4557 4.3
CVE-2026-4555 8.8
CVE-2026-4554 6.3
CVE-2026-33319 5.9