Security Advisory: Command Injection in Archer MR600 WireGuard Client Configuration (CVE-2026-8913)
Vulnerability and Impact Description:
CVE-2026-8913
A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.
Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.
CVSS v4.0 Score: 8.5 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Product Model |
Hardware Version |
Fixed Firmware Version |
|
Archer MR600 |
V5 |
EU_V5_1.7.0 0.9.1 260518 rel67803 JP_V5_1.2.0 0.9.1 260519 rel52362 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Update affected devices to the latest firmware version that fixed the vulnerability:
EN: Download for Archer MR600 | TP-Link
JP: Archer MR600 Content | TP-Link Japan
Note: MR600 is not sold in the US.
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.
Looking For More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.