TP-Link’s newest patch fixes a router bug that lets strangers upload firmware without a password—five months after Texas sued the company for claiming its gear was secure. The flaw, CVE-2025-15517 , hits Archer NX200, NX210, NX500, and NX600 models through a missing authentication check in the HTTP server for certain cgi endpoints. According to TP-Link, “ an attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations. ” In the same firmware drop the vendor excised a hardcoded cryptographic key (CVE-2025-15605) that let authenticated users decrypt, alter, and re-encrypt configuration files, plus two command-injection bugs (CVE-2025-15518 and CVE-2025-15519) that give admin-level code execution. TP-Link “ strongly ” recommends installing the latest firmware, warning that “if you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.” The release follows a September zero-day scramble for other router lines and CISA adding two earlier TP-Link bugs to its Known Exploited Vulnerability catalog after Quad7 botnet activity. Texas Attorney General Paxton sued TP-Link in February, accusing the company of deceptively marketing routers as secure while Chinese state-sponsored actors allegedly exploited firmware flaws. Recommended Reading Apple’s ‘Update Now’ Ultimatum: Coruna and DarkSword Are Already Inside the Gate Aura’s 900,000-record breach: when a marketing platform becomes a phishing time bomb Technology Security