Description
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Published: 2026-06-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the WireGuard client configuration of TP‑Link Archer MR600 v5, caused by inadequate neutralization of user‑controlled input in the web management interface. An attacker who has authenticated administrative privileges can exploit this to run arbitrary commands when configuration changes are applied, potentially leading to full compromise of device confidentiality, integrity, and availability.

Affected Systems

TP‑Link Systems Inc. Archer MR600 v5 firmware version 5 is affected.

Risk and Exploitability

The vulnerability has a CVSS score of 8.5, indicating high severity. EPSS data is not available and the issue is not listed in CISA KEV. An authenticated administrator already possesses the necessary access, so the attack vector is likely the web interface used to apply WireGuard settings. Successful exploitation would grant an attacker the ability to execute arbitrary commands on the device and control its network traffic.

Generated by OpenCVE AI on June 8, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for the Archer MR600 v5 that addresses the command injection issue.
  • Limit administrative access to the web interface by restricting IP ranges and enabling two‑factor authentication where possible.
  • If WireGuard is not required, disable the client feature or isolate the device on a separate VLAN to contain potential compromise.

Generated by OpenCVE AI on June 8, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link archer Mr600
Vendors & Products Tp-link
Tp-link archer Mr600

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Title Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tp-link Archer Mr600
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-09T03:55:38.204Z

Reserved: 2026-05-18T23:12:55.471Z

Link: CVE-2026-8913

cve-icon Vulnrichment

Updated: 2026-06-08T18:24:51.494Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T18:16:34.177

Modified: 2026-06-09T13:51:18.770

Link: CVE-2026-8913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:41Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')