CVE-2025-15551 is an 'Eval Injection' vulnerability (CWE-95) found in several TP-Link router models, including Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4. The vulnerability stems from the routers' admin web portals executing server responses directly via JavaScript's eval function without sanitization or validation. This improper neutralization of directives allows an attacker positioned as a Man-in-the-Middle (MitM) to intercept and modify the HTTP responses sent to the router's admin interface. By injecting malicious JavaScript code into these responses, the attacker can execute arbitrary scripts within the context of the router's admin portal. This can lead to unauthorized configuration changes, credential theft, or pivoting attacks against devices on the local network. The CVSS 4.0 score is 5.9 (medium), reflecting that exploitation requires network-level access (adjacent network), user interaction, and no privileges or authentication. The vulnerability does not require the attacker to authenticate but depends on successful MitM positioning and user interaction to trigger the malicious code execution. No patches or exploits are currently documented, but the issue is critical due to the common use of these router models and the potential for significant network compromise.

For European organizations, exploitation of this vulnerability could lead to unauthorized access and control over network routers, which serve as critical infrastructure for internet connectivity and internal network segmentation. Attackers could manipulate router configurations, redirect traffic, or intercept sensitive communications, undermining confidentiality and integrity. This is particularly concerning for enterprises relying on these TP-Link models for remote or branch office connectivity. The vulnerability could facilitate lateral movement within corporate networks and enable further compromise of connected devices. Additionally, compromised routers could be leveraged for launching broader attacks such as DNS hijacking or man-in-the-browser attacks on users. The requirement for MitM access and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with untrusted or public Wi-Fi usage. The impact on availability is lower but possible if attackers disrupt router functionality or configurations.

1. Network Segmentation: Isolate management interfaces of routers from general user networks to reduce exposure to MitM attacks. 2. Use Encrypted Management: Access router admin portals only over secure, encrypted channels (e.g., HTTPS with valid certificates) and avoid HTTP where possible. 3. Avoid Untrusted Networks: Discourage or prevent users from accessing router management interfaces over public or untrusted Wi-Fi networks where MitM attacks are more feasible. 4. VPN Usage: Employ VPNs to secure remote access to router management interfaces, ensuring traffic is encrypted end-to-end. 5. Monitor Network Traffic: Deploy network monitoring to detect unusual traffic patterns indicative of MitM or injection attempts. 6. Firmware Updates: Regularly check TP-Link’s official channels for firmware updates addressing this vulnerability and apply patches promptly once available. 7. User Awareness: Educate users about the risks of interacting with router admin portals on insecure networks and the importance of verifying network security. 8. Consider Alternative Hardware: For critical environments, evaluate replacing affected TP-Link models with devices from vendors with stronger security postures and timely patching.