EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in TP‑Link Archer MR600 routers, specifically firmware version 5.x (including v5.0 and v5.1). The flaws consist of command injection defects in the web management interface and WireGuard client configuration, allowing authenticated administrators to execute arbitrary system commands. Exploitation grants an attacker full control over the device, compromising confidentiality, integrity, and availability of the local network. The business risk includes potential data breach, service disruption, and unauthorized use of network resources, which could damage reputation and incur regulatory penalties. CVE-2026-8913 with a CVSS score of 8.5 – A command injection vulnerability in the Archer MR600’s web management interface and WireGuard client configuration allows an attacker with valid administrative credentials to inject malicious strings that trigger arbitrary system commands; exploitation requires an authenticated session and results in total device takeover. Given the high severity and the need for valid admin access, the risk of exploitation remains acute until the flaw is addressed. A successful attack could lead to complete network compromise, data exfiltration, and prolonged service outages, exposing the organization to financial loss and reputational harm.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in TP‑Link Archer MR600 routers, specifically firmware version 5.x (including v5.0 and v5.1). The flaws consist of command injection defects in the web management interface and WireGuard client configuration, allowing authenticated administrators to execute arbitrary system commands. Exploitation grants an attacker full control over the device, compromising confidentiality, integrity, and availability of the local network. The business risk includes potential data breach, service disruption, and unauthorized use of network resources, which could damage reputation and incur regulatory penalties. CVE-2026-8913 with a CVSS score of 8.5 – A command injection vulnerability in the Archer MR600’s web management interface and WireGuard client configuration allows an attacker with valid administrative credentials to inject malicious strings that trigger arbitrary system commands; exploitation requires an authenticated session and results in total device takeover. Given the high severity and the need for valid admin access, the risk of exploitation remains acute until the flaw is addressed. A successful attack could lead to complete network compromise, data exfiltration, and prolonged service outages, exposing the organization to financial loss and reputational harm.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/archer-mr600-command-injection/