CVE-2025-15035 PUBLISHED

Arbitrary File Deletion Vulnerability in TP-Link Archer AXE75

Assigner: TPLink
Reserved: 22.12.2025 Published: 09.01.2026 Updated: 09.01.2026

Improper Input Validation vulnerability in TP-Link Archer AXE75 v1.6 (vpn modules) allows an authenticated adjacent attacker to delete arbitrary server file, leading to possible loss of critical system files and service interruption or degraded functionality.This issue affects Archer AXE75 v1.6: ≤ build 20250107.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	TP-Link Systems Inc.
Product	Archer AXE75 v1.6
Versions	Default: unaffected affected from 0 to build 20250107 (incl.)

Credits

Yiheng An, Zhibin Zhang, Haozhe Zhang finder

References

Problem Types

CWE-20 Improper Input Validation CWE

Impacts

CAPEC-126 Path Traversal