CVE-2025-15607

Critical

Published: 20 March 2026

Published

20 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0047 64.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary…

commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient input handling in mscd debug functionality by requiring validation to prevent command injection via unvalidated file content concatenation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through firmware updates provided by TP-Link to eliminate the command injection vulnerability.

CM-7 Least Functionality partial match

prevent

Minimizes exposure by restricting or prohibiting unnecessary debug functionality like mscd, reducing the attack surface for authenticated command injection.

Security SummaryAI

CVE-2025-15607 is a command injection vulnerability in the mscd debug functionality of TP-Link Archer AX53 v1 routers. It arises from insufficient input handling, which allows log redirection to arbitrary files and the concatenation of unvalidated file content into shell commands. Published on 2026-03-20, the vulnerability is classified under CWE-77 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers can exploit this flaw over the network with low complexity and no user interaction required. By manipulating inputs, they can inject arbitrary commands into shell execution, leading to the execution of malicious commands and potentially full control of the device.

TP-Link provides mitigation via updated firmware for Archer AX53 v1, available at https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware, along with additional guidance in their support FAQ at https://www.tp-link.com/us/support/faq/5025/.

Details

CWE(s): CWE-77

Affected Products

tp-link

archer ax53 firmware

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing router debug service (T1190) leading to remote command injection and shell execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware
Product · f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/us/support/faq/5025/
Vendor Advisory · f23511db-6c3e-4e32-a477-6aa17d310630