Vulnerability in TP-Link Routers Allowing JavaScript Code Execution
CVE-2025-15551

5.9MEDIUM

Key Information:

Vendor

Tp-link Systems Inc.

Status
Archer Mr200 V5.2
Archer C20 V6
Tl-wr850n V3
Tl-wr845n V4
Vendor
CVE Published:
5 February 2026

What is CVE-2025-15551?

A vulnerability exists in certain TP-Link router models where the JavaScript function eval executes responses without validation. This flaw could be exploited through a Man-in-the-Middle (MitM) attack, allowing attackers to inject malicious JavaScript code into the router's admin web portal, potentially compromising user security and access without their awareness. It is crucial for users to apply the recommended security patches to mitigate the risks associated with this vulnerability.

Affected Version(s)

Archer C20 v6 0 < 0.9.1 4.19 v0001.0 Build 250630 Rel.56583n

Archer MR200 v5.2 0 < 1.2.0 Build 250917 Rel.51746

TL-WR845N v4 0 < 0.9.1 3.19 Build 251031 rel33710

References

https://www.tp-link.com/en/support/download/archer-mr200/...
patch
https://www.tp-link.com/en/support/download/archer-c20/v6...
patch
https://www.tp-link.com/in/support/download/tl-wr850n/#Fi...
patch

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Swaroop Dora, Deven Lunkad, Ashutosh Kumar, and S. Venkatesan from IoT Security Research Lab, Indian Institute of Information Technology, Allahabad
.