CVE-2025-15568 is an OS command injection vulnerability classified under CWE-78, discovered in the web management module of the TP-Link Archer AXE75 router models v1.6 and v1.0. The flaw exists due to improper neutralization of special elements in OS commands, allowing an authenticated attacker with adjacent network access to inject and execute arbitrary commands on the device. Exploitation requires the router to be configured with sysmode=ap, which likely enables access point mode, exposing the vulnerable interface. Successful exploitation grants root-level privileges, enabling complete control over the router’s operating system. This compromises confidentiality, integrity, and availability of the device and potentially the network it serves. The vulnerability affects firmware versions through 1.3.2 Build 20250107. The CVSS 4.0 base score is 8.5, reflecting high severity with attack vector as adjacent network, low attack complexity, no user interaction, and high impact on all security properties. Although no public exploits are currently reported, the vulnerability’s characteristics suggest it could be weaponized for remote code execution, persistent backdoors, or network pivoting. The issue was reserved in early 2026 and published shortly thereafter, indicating recent discovery and disclosure. No patches or mitigations are linked yet, emphasizing the need for immediate attention from users and administrators of affected devices.

The impact of CVE-2025-15568 is significant for organizations using TP-Link Archer AXE75 routers, especially in environments where these devices operate in access point mode (sysmode=ap). Exploitation leads to remote code execution with root privileges, allowing attackers to fully compromise the device. This can result in unauthorized access to network traffic, manipulation or disruption of network services, installation of persistent malware, and potential lateral movement within the network. Confidentiality is at risk as attackers can intercept or alter sensitive data. Integrity is compromised through unauthorized configuration changes or firmware tampering. Availability may be affected by denial-of-service conditions or device bricking. Given the router’s role as a network gateway, the vulnerability could serve as a foothold for broader network intrusions. Organizations relying on these routers for critical connectivity or security functions face elevated risk, particularly if the devices are deployed in sensitive or high-value environments such as corporate offices, government facilities, or industrial networks.

1. Immediately verify if your TP-Link Archer AXE75 router is running firmware versions up to 1.3.2 Build 20250107 and operating in sysmode=ap. 2. Restrict access to the router’s management interface to trusted, authenticated users only, and limit access to the adjacent network segment. 3. Disable access point mode (sysmode=ap) if not required or isolate the device on a separate VLAN to reduce exposure. 4. Monitor network traffic for unusual commands or connections originating from the router. 5. Apply firmware updates as soon as TP-Link releases patches addressing this vulnerability. 6. Implement network segmentation and strong authentication controls to limit lateral movement if compromise occurs. 7. Consider deploying host-based or network-based intrusion detection systems to detect exploitation attempts. 8. Regularly audit router configurations and logs for signs of unauthorized access or changes. 9. Engage with TP-Link support or security advisories for timely updates and guidance. 10. As a temporary workaround, disable web management interfaces or restrict them to secure management networks until patches are available.