CVE-2025-14756 HIGH

CVE-2025-14756: Authenticated Command Injection Vulnerability in Archer MR600

Vendor Tp-Link Systems Inc.
Product Archer MR600 v5.0
Weakness CWE-77
Published January 26, 2026
Last update February 26, 2026

CVSS base score

8.5/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise.

Key dates

02Disclosure timeline

January 26, 2026 CVE published
February 26, 2026 Record updated