CVE-2025-14756

High

Published: 26 January 2026

Published

26 January 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 47.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service…

disruption or full compromise.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of all inputs to the admin interface, blocking crafted inputs from reaching system command execution.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware updates, eliminating the specific command injection vulnerability as recommended by TP-Link.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on authenticated admin accounts, limiting the scope and impact of any successfully injected system commands.

Security SummaryAI

CVE-2025-14756 is a command injection vulnerability (CWE-77) discovered in the admin interface component of TP-Link Archer MR600 v5 firmware. Published on 2026-01-26, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw enables authenticated attackers to execute system commands via crafted input in the browser developer console, though with a limited character length.

An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation allows injection and execution of system commands, potentially resulting in service disruption or full compromise of the affected device.

Advisories from the Japan Vulnerability Notes (JVN) provide further details at https://jvn.jp/en/vu/JVNVU94651499/ and https://jvn.jp/vu/JVNVU94651499/. TP-Link recommends applying updated firmware, available for download at https://www.tp-link.com/en/support/download/archer-mr600/#Firmware, https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware, and https://www.tp-link.com/us/support/faq/4916/.

Details

CWE(s): CWE-77

Affected Products

tp-link

archer mr600 firmware

≤ 1.1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection (CWE-77) in a public-facing web admin interface (AV:N), enabling remote exploitation (T1190) to execute arbitrary system (Unix shell) commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://jvn.jp/en/vu/JVNVU94651499/
Third Party Advisory · f23511db-6c3e-4e32-a477-6aa17d310630
https://jvn.jp/vu/JVNVU94651499/
Third Party Advisory · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/en/support/download/archer-mr600/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/4916/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630