Router Takeover: High-Severity Command Injection Flaw Hits TP-Link Archer MR600

TP-Link issued an advisory for Archer MR600 v5 (CVE-2025-14756), an authenticated command injection flaw in the router’s web admin interface with a CVSS of 8.5; attackers who obtain admin credentials can inject system commands via the browser developer console and potentially fully compromise the device. Devices running firmware older than 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n are affected; TP-Link has released a patched firmware and urges immediate updates.