CVE-2025-15035
📋 TL;DR
An authenticated attacker on the same network can exploit improper input validation in TP-Link Archer AXE75 v1.6 VPN modules to delete arbitrary server files. This affects users of TP-Link Archer AXE75 v1.6 routers with firmware up to build 20250107, potentially causing service disruption or system damage.
💻 Affected Systems
- TP-Link Archer AXE75
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Critical system files are deleted, causing permanent router bricking, complete service interruption, and requiring hardware replacement.
Likely Case
Service degradation or temporary interruption as non-critical files are deleted, requiring firmware reflash or factory reset.
If Mitigated
Minimal impact if VPN modules are disabled and network segmentation prevents adjacent access.
🎯 Exploit Status
Requires authenticated access to the router's management interface and adjacent network position.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check TP-Link support for firmware newer than build 20250107
Vendor Advisory: https://www.tp-link.com/en/support/faq/4881/
Restart Required: Yes
Instructions:
1. Visit TP-Link support page for Archer AXE75 v1.6. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Router will reboot automatically.
🔧 Temporary Workarounds
Disable VPN modules
allTurn off VPN functionality if not required
Log into router admin > VPN > Disable all VPN services
Network segmentation
allIsolate router management interface from user networks
Configure VLANs to separate management traffic
🧯 If You Can't Patch
- Disable VPN functionality entirely through router admin interface
- Implement strict network access controls to limit adjacent network access
🔍 How to Verify
Check if Vulnerable:
Log into router admin interface, check Firmware Version under System Tools. If version is v1.6 with build date ≤ 20250107, device is vulnerable.Check Version:
No CLI command; check via web interface at System Tools > Firmware UpgradeVerify Fix Applied:
After firmware update, verify build date is newer than 20250107 in System Tools > Firmware Upgrade page.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- VPN module error messages
- Authentication logs showing suspicious admin access
Network Indicators:
- Unusual traffic patterns to router management interface
- Multiple failed then successful authentication attempts
SIEM Query:
source="router_logs" AND (event="file_deletion" OR module="vpn") AND severity="critical"🔗 References
- https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/tree/master/2025/PANW-2025-0004
- https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware
- https://www.tp-link.com/jp/support/download/archer-axe75/v1/#Firmware
- https://www.tp-link.com/phppage/preview.php?url=https://www.tp-link.com/en/support/faq/4881/
- https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware
