LAN Code Execution on TP-Link Archer MR200, Archer C20, TL-WR850N and TL-WR845N
Summary
| CVE | CVE-2025-15551 |
|---|---|
| State | PUBLISHED |
| Assigner | TPLink |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-05 18:16:09 UTC |
| Updated | 2026-04-22 22:16:28 UTC |
| Description | The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge. |
Risk And Classification
Primary CVSS: v4.0 5.9 MEDIUM from f23511db-6c3e-4e32-a477-6aa17d310630
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000320000 probability, percentile 0.094120000 (date 2026-04-22)
Problem Types: CWE-95 | CWE-95 CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f23511db-6c3e-4e32-a477-6aa17d310630 | Secondary | 5.9 | MEDIUM | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 5.9 | MEDIUM | CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
CVSS v4.0 Breakdown
Attack Vector
AdjacentAttack Complexity
LowAttack Requirements
PresentPrivileges Required
NoneUser Interaction
PassiveConfidentiality
HighIntegrity
LowAvailability
LowSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Tp-link | Archer C20 | 6 | All | All | All |
| Operating System | Tp-link | Archer C20 Firmware | All | All | All | All |
| Hardware | Tp-link | Archer Mr200 | 5.20 | All | All | All |
| Operating System | Tp-link | Archer Mr200 Firmware | All | All | All | All |
| Hardware | Tp-link | Tl-wr845n | 4 | All | All | All |
| Operating System | Tp-link | Tl-wr845n Firmware | All | All | All | All |
| Hardware | Tp-link | Tl-wr850n | 3 | All | All | All |
| Operating System | Tp-link | Tl-wr850n Firmware | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TP-Link Systems Inc. | Archer MR200 V5.2 | affected 1.2.0 Build 250917 Rel.51746 custom | Not specified |
| CNA | TP-Link Systems Inc. | Archer C20 V6 | affected 0.9.1 4.19 v0001.0 Build 250630 Rel.56583n custom | Not specified |
| CNA | TP Link Systems Inc. | TL-WR850N V3 | affected 3.16.0 0.9.1 v6031.0 Build 251205 Rel.22089n custom | Not specified |
| CNA | TP Link Systems Inc. | TL-WR845N V4 | affected 0.9.1 3.19 Build 251031 rel33710 custom | Not specified |
| CNA | TP-Link Systems Inc. | Archer C20 V5 | affected US_V5_260419 custom | Not specified |
| CNA | TP-Link Systems Inc. | Archer C20 V5 | affected EU_V5_260317 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.tp-link.com/en/support/download/archer-c20/v6 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/us/support/download/archer-c20/v5 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | |
| www.tp-link.com/in/support/download/archer-mr200/v5.20 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/us/support/faq/4948 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Vendor Advisory |
| www.tp-link.com/in/support/download/tl-wr850n | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/en/support/download/archer-mr200/v5.20 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/en/support/download/archer-c20/v5 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | |
| www.tp-link.com/in/support/download/archer-c20/v6 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/in/support/download/tl-wr845n | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| www.tp-link.com/en/support/download/tl-wr845n | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Product |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Swaroop Dora, Deven Lunkad, Ashutosh Kumar, and S. Venkatesan from IoT Security Research Lab, Indian Institute of Information Technology, Allahabad (en)
There are currently no legacy QID mappings associated with this CVE.