CVE-2025-15545

MEDIUM

TP-Link Archer RE605X Firmware <= 1.2.10 - Command Injection via Backup Restore

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-15545. PoCs published by Xernary.

AI-analyzed exploit summary This PoC exploits a chain of vulnerabilities in TP-Link Archer RE605X, including hardcoded cryptographic keys and command injection in the XML configuration parser, to achieve RCE as root. It demonstrates a chained attack scenario requiring local network access and authenticated user credentials.

Description

The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability.

Exploits (1)

nomisec WORKING POC 1 stars

by Xernary · poc

https://github.com/Xernary/CVE-2025-15545

View Code ZIP pw:eip

This PoC exploits a chain of vulnerabilities in TP-Link Archer RE605X, including hardcoded cryptographic keys and command injection in the XML configuration parser, to achieve RCE as root. It demonstrates a chained attack scenario requiring local network access and authenticated user credentials.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: TP-Link Archer RE605X v3.0 with firmware RE605X(EU)_V3_1.1.5 Build 20240905

Auth required

Prerequisites: Local network access · Authenticated user credentials · Hardcoded AES key and IV · ARP spoofing capability

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1040 - Network Sniffing T1090 - Proxy

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources

https://nico-security.com/posts/cve-2025-15545

Various Sources patch

https://www.tp-link.com/en/support/download/re605x/v3/#Firmware

Various Sources patch

https://www.tp-link.com/us/support/download/re605x/v3/#Firmware

Various Sources vendor-advisory

https://www.tp-link.com/us/support/faq/4929/

Scores

CVSS v3 6.8

EPSS 0.0045

EPSS Percentile 35.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (1)

tp-link/archer_re605x_firmware < 1.2.10

Published Jan 29, 2026

Tracked Since Feb 18, 2026