CVE-2026-8913 PUBLISHED

Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration

Assigner: TPLink
Reserved: 18.05.2026 Published: 08.06.2026 Updated: 09.06.2026

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	TP-Link Systems Inc.
Product	Archer MR600 v5
Versions	Default: unaffected affected from 0 to EU_V5_1.7.0 0.9.1 260518 rel67803 (excl.) affected from 0 to JP_V5_1.2.0 0.9.1 260519 rel52362 (excl.)

Credits

Akira Moroo (Ricerca Security, Inc.), Satoki Tsuji (Ricerca Security, Inc.), Anonymous finder

References

Problem Types

CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection') CWE

Impacts

CAPEC-248 Command Injection