CVE-2025-15551

Summary

The response coming from TP-Link Archer MR200 v5.2, C20 v5 and v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router's admin web portal without the user's permission or knowledge.

Affected Software

VendorProductVersion RangeStatus
TP-Link Systems Inc.Archer MR200 v5.20 < 1.2.0 Build 250917 Rel.51746affected
TP-Link Systems Inc.Archer C20 v60 < 0.9.1 4.19 v0001.0 Build 250630 Rel.56583naffected
TP Link Systems Inc.TL-WR850N v30 < 3.16.0 0.9.1 v6031.0 Build 251205 Rel.22089naffected
TP Link Systems Inc.TL-WR845N v40 < 0.9.1 3.19 Build 251031 rel33710affected
TP-Link Systems Inc.Archer C20 v50 < US_V5_260419affected
TP-Link Systems Inc.Archer C20 v50 < EU_V5_260317affected

Weaknesses

  • CWE-95: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References