CVE-2025-15551
📋 TL;DR
This vulnerability allows attackers to execute arbitrary JavaScript code on affected TP-Link router admin portals via Man-in-the-Middle attacks. The router's web interface improperly uses eval() without validation on responses, enabling code execution. Users of specific TP-Link router models with vulnerable firmware are affected.
💻 Affected Systems
- TP-Link Archer MR200
- TP-Link Archer C20
- TP-Link TL-WR850N
- TP-Link TL-WR845N
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete router compromise allowing attacker to change DNS settings, intercept all network traffic, install persistent backdoors, or disable security features.
Likely Case
Session hijacking, credential theft, network traffic redirection, or router configuration changes leading to further network compromise.
If Mitigated
Limited impact if HTTPS is enforced and network segmentation isolates router management interface.
🎯 Exploit Status
Exploitation requires MitM position but no authentication needed. JavaScript execution occurs automatically when user visits admin portal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor links for latest firmware
Vendor Advisory: https://www.tp-link.com/en/support/download/
Restart Required: Yes
Instructions:
1. Visit TP-Link support page for your router model. 2. Download latest firmware. 3. Log into router admin portal. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload and install new firmware. 6. Router will reboot automatically.
🔧 Temporary Workarounds
Disable remote management
allPrevents admin portal access from WAN interface
Use wired connection for management
allReduces MitM attack surface by avoiding wireless for admin access
🧯 If You Can't Patch
- Segment router management to dedicated VLAN isolated from user devices
- Implement HTTPS enforcement and certificate pinning if supported
🔍 How to Verify
Check if Vulnerable:
Check router firmware version in admin portal under System Tools > Firmware UpgradeCheck Version:
Login to router admin portal and navigate to System Tools > Firmware UpgradeVerify Fix Applied:
Verify firmware version matches latest from TP-Link website and test admin portal functionality📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution in router logs
- Multiple failed login attempts followed by configuration changes
Network Indicators:
- ARP spoofing detection
- Unusual DNS queries from router
- HTTPS to HTTP downgrade attempts
SIEM Query:
source="router_logs" AND (event="eval" OR event="javascript_execution")🔗 References
- https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware
- https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware
- https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware
- https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware
- https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware
- https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware
- https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware
- https://www.tp-link.com/us/support/faq/4948/
