CVE-2025-15545
MEDIUM WAF: Medium
CVSS 6.8
Published: 2026-01-29
CWE-20
The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| tp-link | archer_re605x_firmware | up to 1.2.10 |
References
- nico-security.com (Exploit, Third Party Advisory)
- www.tp-link.com (Product)
- www.tp-link.com (Product)
- www.tp-link.com (Vendor Advisory)