[Japanese]

JVNDB-2026-001972

Archer MR600 vulnerable to OS command injection

Overview

Archer MR600 provided by TP-Link Systems Inc. contains the following vulnerability.
  • OS command injection (CWE-78) - CVE-2025-14756
Chuya Hayakawa of 00One, Inc. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [Other]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


TP-LINK Technologies
  • Archer MR600 v5 firmware versions prior to 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n

Impact

An arbitrary OS command may be executed on the product by the attacker who can log in to the management web interface.
Solution

[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
Vendor Information

TP-Link Systems Inc.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [Other]
CVE (What is CVE?)

  1. CVE-2025-14756
References

  1. JVN : JVNVU#94651499
Revision History

  • [2026/01/28]
      Web page was published

Date Public2026/01/27
Date First Published2026/01/28
Date Last Updated2026/01/28