The router is the single most important security device in your home, and it is also the one most people never think about. It sits in a corner, it works, and it is forgotten — often for years, frequently until it dies. That neglect is exactly what makes router vulnerabilities so dangerous. A flaw in your laptop affects one machine. A flaw in your router affects every device that passes traffic through it, and it hands an attacker a position from which they can watch, redirect, and manipulate everything on your network.
In March 2026, TP-Link — one of the largest consumer router vendors in the world — released firmware updates patching four high-severity vulnerabilities in its Archer NX line. Two of them, taken together, allow an attacker to completely take over an affected router. This is the kind of vulnerability that does not require sophistication to exploit once it is understood, and the kind that botnet operators actively hunt for. If you own one of these routers, the action item is simple and urgent: update the firmware. The rest of this article explains what you are protecting yourself against and why it matters.
The Affected Devices
The vulnerabilities affect the TP-Link Archer NX router family, specifically the NX200, NX210, NX500, and NX600 models, across multiple hardware versions. These are mainstream consumer and prosumer routers — the sort of device a household or small business buys, plugs in, and relies on as the gateway between every connected thing they own and the internet.
If you are not sure which router model you have, it is printed on a label on the underside or back of the device, and it is also displayed in the router’s administrative interface. Take a moment to check, because the distinction between “I have an Archer NX” and “I have a different TP-Link model” determines whether the rest of this applies to you directly.
CVE-2025-15517: The Authentication Bypass
The most serious of the four flaws is CVE-2025-15517, carrying a CVSS severity score of 8.6 — firmly in the “high” range, bordering on critical.
It is an authentication bypass in the router’s HTTP server, affecting certain CGI endpoints. In plain terms: parts of the router’s web-based management interface that are supposed to require you to log in first can be reached and used without logging in at all. The authentication check that is supposed to stand between an attacker and the router’s controls simply does not apply to these endpoints.
What makes this particular bypass so dangerous is what the unprotected endpoints let an attacker do. This is not a flaw that merely leaks some configuration detail. According to the disclosure, it allows an unauthenticated attacker to perform privileged HTTP actions — including uploading firmware and performing configuration operations — without authentication.
The ability to upload firmware without authentication is the security equivalent of leaving the keys in the ignition with the doors unlocked. Firmware is the operating system of the router. An attacker who can push their own firmware to the device can replace the router’s entire software with a version of their choosing — one that captures every packet, redirects your DNS lookups to malicious servers, installs persistent malware that survives reboots and factory resets, and enrolls the device into a botnet, all while presenting a normal-looking interface to the owner. Firmware-level compromise is the deepest and most durable form of router takeover there is. Once an attacker controls the firmware, they control the router absolutely, and dislodging them can require physically replacing the hardware.
CVE-2025-15605: The Hardcoded Key
The second flaw in the pair is CVE-2025-15605, with a CVSS score of 8.5. This one is a hardcoded cryptographic key in the mechanism the router uses to encrypt its configuration files.
A hardcoded key is a secret that is baked into the device firmware itself rather than being unique to each device or derived from something only the legitimate owner knows. Because the key is the same across devices and embedded in firmware that can be extracted and analyzed, it is not really a secret at all once a researcher — or an attacker — recovers it.
The practical consequence is that an authenticated attacker can use this key to decrypt the router’s configuration files, modify them, and re-encrypt them so they appear legitimate. That undermines the confidentiality and integrity of every setting the router holds: credentials, network configuration, access rules, and more. Configuration encryption is supposed to be a safeguard. A hardcoded key turns that safeguard into theater.
The two flaws complement each other in an attacker’s hands. The disclosure also referenced two further high-severity issues in the same advisory, bringing the total to four patched vulnerabilities — a cluster that points to systemic weaknesses in the device’s security model rather than a single isolated mistake.
The Patches — and the Gap That Always Follows
TP-Link did the right thing on the disclosure side. The company released firmware updates with build dates of March 9 through 11, 2026, addressing the vulnerabilities. The specific fixed version varies by model — for example, the NX600 v3.0 requires updating away from firmware older than version 1.3.0 Build 260309. Check your specific model and hardware version against TP-Link’s advisory to confirm which build you need.
At the time of the disclosure there was no public evidence that these specific flaws were being exploited in the wild. That is good news, but it comes with a heavy caveat, and the caveat is the entire reason this article exists.
The window between public disclosure of a router vulnerability and active exploitation has been shrinking for years. Once a vulnerability is documented — complete with affected models, severity, and the nature of the flaw — botnet operators and other attackers reverse-engineer the patch to understand exactly what changed and how to exploit the original weakness. For a flaw as powerful as an unauthenticated firmware upload, the incentive to weaponize it is enormous. And history is unambiguous about what happens to unpatched TP-Link routers: in September 2025, the U.S. Cybersecurity and Infrastructure Security Agency added earlier TP-Link router vulnerabilities, CVE-2025-9377 and CVE-2023-50224, to its Known Exploited Vulnerabilities catalog — meaning those flaws were confirmed under active attack. The pattern is consistent. Disclosed router flaws get exploited; the only question is how quickly.
The structural problem is that consumer routers do not patch themselves the way modern phones and computers largely do. A meaningful fraction of routers in the field will never receive these updates, simply because their owners do not know the updates exist and the devices were not configured to install them automatically. Those routers will remain vulnerable indefinitely. They become the standing inventory from which the next botnet is built.
What To Do Right Now
If you own a TP-Link Archer NX200, NX210, NX500, or NX600, treat this as a priority maintenance task rather than an optional one.
Update the firmware immediately. Log into your router’s administrative interface, find the firmware or system update section, and either let it check for the latest version or download the correct firmware for your exact model and hardware revision from TP-Link’s official support site. Confirm afterward that the installed version matches or exceeds the fixed build for your model. Do not download firmware from anywhere other than TP-Link’s official channels.
Enable automatic updates if your model supports them. The single most effective defense against the next router vulnerability — and there will be a next one — is a device that patches itself. If your Archer NX offers automatic firmware updates, turn the feature on so you are not relying on remembering to check.
Turn off remote management. These flaws are dramatically more dangerous if the router’s web interface is reachable from the internet rather than only from inside your own network. Unless you have a specific, deliberate need for remote administration, disable it. An attacker who can only reach the management interface from inside your network has a far harder job than one who can reach it from anywhere.
Change the administrative password if you have not set a strong, unique one. While the authentication bypass means a password alone would not have stopped CVE-2025-15517, a strong admin password remains essential against the broad class of attacks that rely on default or guessable credentials, and it limits the second flaw, which requires authentication.
If your router is end-of-life, plan to replace it. The Archer NX line is currently supported, which is why fixes exist. But the broader lesson applies to every router: a device the manufacturer no longer patches is a device whose vulnerabilities are permanent. When support ends, the security clock starts running out, and the only real fix is new hardware.
A router vulnerability is not an abstraction. It is a flaw in the one device that sees and controls all of your network traffic. TP-Link has supplied the fix. Whether your router actually gets fixed is now up to you.