TP-LINK has issued a security advisory for its Archer MR600 v5 router, warning of a high-severity authenticated command injection flaw tracked as CVE-2025-14756 with a CVSS of 8.5. The vulnerability resides in the router’s web-based admin interface and can allow an authenticated attacker to execute system commands with a limited character length via input in the browser developer console, according to the advisory.
The issue arises because inputs in the admin panel are not properly sanitised, meaning a logged-in attacker could potentially move beyond standard admin privileges and gain root-level control. TP-Link notes that exploitation requires authentication but the consequences can be severe, including service disruption or full device compromise.
Affected devices running firmware older than 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n are advised to upgrade to the latest firmware, downloadable from the TP-Link support page, to mitigate the vulnerability. The firm urges users to update promptly to protect their networks. 28 January 2026.