Auth bypass in Tp-link Systems Inc. Archer Nx200 V1.0

CVE-2025-15517

A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions with…

Vulnerability class: Broken Authentication

EPSS: 0.001 (22.7th percentile) — read the EPSS interpretation.

Affected products

Tp-link Systems Inc. Archer Nx200 V1.0 — versions 0
Tp-link Systems Inc. Archer Nx200 V2.0 — versions 0
Tp-link Systems Inc. Archer Nx200 V2.20 — versions 0
Tp-link Systems Inc. Archer Nx200 V3.0 — versions 0
Tp-link Systems Inc. Archer Nx210 V2.0 V2.20 — versions 0
Tp-link Systems Inc. Archer Nx210 V3.0 — versions 0
Tp-link Systems Inc. Archer Nx500 V1.0 — versions 0
Tp-link Systems Inc. Archer Nx500 V2.0 — versions 0
Tp-link Systems Inc. Archer Nx600 V1.0 — versions 0
Tp-link Systems Inc. Archer Nx600 V2.0 — versions 0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

www.tp-link.com/en/support/download/archer-nx200/ (patch)
www.tp-link.com/en/support/download/archer-nx210/ (patch)
www.tp-link.com/en/support/download/archer-nx500/ (patch)
www.tp-link.com/en/support/download/archer-nx600/ (patch)
www.tp-link.com/us/support/faq/5027/ (vendor-advisory)