Published:2026/01/27  Last Updated:2026/01/27

JVNVU#94651499
Archer MR600 vulnerable to OS command injection

Overview

Archer MR600 provided by TP-Link Systems Inc. contains an OS command injection vulnerability.

Products Affected

  • Archer MR600 v5 firmware versions prior to 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n

Description

Archer MR600 provided by TP-Link Systems Inc. contains the following vulnerability.

  • OS command injection (CWE-78)
    • CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.5
    • CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 6.8
    • CVE-2025-14756

Impact

An arbitrary OS command may be executed on the product by the attacker who can log in to the management web interface.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
TP-Link Systems Inc. Security Advisory on Authenticated Command injection Vulnerability in Archer MR600 (CVE-2025-14756)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia