Description
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Published: 2026-06-08
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the WireGuard client configuration of TP‑Link Archer MR600 v5, caused by inadequate neutralization of user‑controlled input in the web management interface. An attacker who has authenticated administrative privileges can exploit this to run arbitrary commands when configuration changes are applied, potentially leading to full compromise of device confidentiality, integrity, and availability.

Affected Systems

TP‑Link Systems Inc. Archer MR600 v5 firmware version 5 is affected.

Risk and Exploitability

The vulnerability has a CVSS score of 8.5, indicating high severity. EPSS data is not available and the issue is not listed in CISA KEV. An authenticated administrator already possesses the necessary access, so the attack vector is likely the web interface used to apply WireGuard settings. Successful exploitation would grant an attacker the ability to execute arbitrary commands on the device and control its network traffic.

Generated by OpenCVE AI on June 8, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for the Archer MR600 v5 that addresses the command injection issue.
  • Limit administrative access to the web interface by restricting IP ranges and enabling two‑factor authentication where possible.
  • If WireGuard is not required, disable the client feature or isolate the device on a separate VLAN to contain potential compromise.

Generated by OpenCVE AI on June 8, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
Title Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-08T18:24:56.126Z

Reserved: 2026-05-18T23:12:55.471Z

Link: CVE-2026-8913

cve-icon Vulnrichment

Updated: 2026-06-08T18:24:51.494Z

cve-icon NVD

Status : Received

Published: 2026-06-08T18:16:34.177

Modified: 2026-06-08T18:16:34.177

Link: CVE-2026-8913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T19:30:06Z

Weaknesses