CVE-2025-15607

A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware	Product
https://www.tp-link.com/us/support/faq/5025/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:tp-link:archer_ax53_firmware:1.0:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:archer_ax53:-:*:*:*:*:*:*:*

History

02 Apr 2026, 20:53

Type	Values Removed	Values Added
CPE		cpe:2.3:o:tp-link:archer_ax53_firmware:1.0:::::::* cpe:2.3:h:tp-link:archer_ax53:-:::::::*
Summary		(es) Una vulnerabilidad de inyección de comandos en AX53 v1 ocurre en la funcionalidad de depuración de mscd debido a un manejo de entrada insuficiente, permitiendo la redirección de registros a archivos arbitrarios y la concatenación de contenido de archivos no validado en comandos de shell, lo que permite a atacantes autenticados inyectar y ejecutar comandos arbitrarios. La explotación exitosa puede permitir la ejecución de comandos maliciosos y, en última instancia, el control total del dispositivo.
References	~~() https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware -~~	() https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware - Product
References	~~() https://www.tp-link.com/us/support/faq/5025/ -~~	() https://www.tp-link.com/us/support/faq/5025/ - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Tp-link archer Ax53 Firmware Tp-link Tp-link archer Ax53

20 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 17:16

Updated : 2026-04-02 20:53

NVD link : CVE-2025-15607

Mitre link : CVE-2025-15607

CVE.ORG link : CVE-2025-15607

JSON object : View

Products Affected

tp-link

archer_ax53
archer_ax53_firmware

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

9.8 /10