HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-8913Published Modified CNA TPLink

CVE-2026-8913: Command Injection in TP-Link's Archer MR600 WireGuard Client Configuration

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device.

Metrics

CVSS v4.0
8.5
Severity
HIGH
Fixed in
EU_V5_1.7.0 0.9.1 260518 rel67803
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A command injection vulnerability exists in the WireGuard client configuration handler of the TP-Link Archer MR600 v5 web management interface. The flaw is reachable over an adjacent network (LAN or VPN) and requires an authenticated admin-level session; improper neutralization of user-controlled input lets the attacker inject shell commands when applying configuration changes. Successful exploitation gives the attacker full read and write access to the device and can crash or take over its operating environment. Patched-image rebuilds at versions EU_V5_1.7.0 0.9.1 260518 rel67803 and JP_V5_1.2.0 0.9.1 260519 rel52362 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-8913 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI pipelines, and custom-built images that bundle affected versions of the Archer MR600 v5 firmware.

Available
Triage

HarborGuard is capable of surfacing this CVE with its CVSS v4.0 score of 8.5 (HIGH), weighted against each customer organization's compliance policy, and routing findings to the appropriate team inbox based on per-environment configuration.

Available
Patch

A patched-image rebuild at EU_V5_1.7.0 0.9.1 260518 rel67803 (EU region) or JP_V5_1.2.0 0.9.1 260519 rel52362 (JP region) becomes available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the pipeline runs a rebuild, executes a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network such as a LAN or VPN segment that can reach the device's web management interface; remote internet-based access alone is not sufficient.

  • AuthenticationRequired

    An admin-level account is required; the attacker must authenticate with high-privilege credentials before injecting commands through the configuration interface.

  • Victim interactionNot required

    No user interaction is needed; the attacker submits the malicious configuration directly through the web management API without involving any other user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: no race condition, specific memory layout, or unusual environmental factor is required to trigger command execution.

Blast Radius

  • Reads all data stored on or accessible by the device, including WireGuard private keys, VPN configuration secrets, and any credentials cached in the management interface.
  • Modifies device configuration, routing rules, or firewall policies, enabling traffic interception or redirection for hosts behind the affected router.
  • Executes arbitrary OS commands as a privileged process, giving the attacker persistent shell access to the device's underlying operating system.
  • Crashes or reboots the affected device, disrupting network connectivity for all clients that depend on it for routing or VPN termination.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and remediation capabilities for CVE-2026-8913 are ready for customer environments running affected Archer MR600 v5 firmware images. Where compliance policy permits, the auto-remediation pipeline can rebuild images at the appropriate fix version (EU_V5_1.7.0 0.9.1 260518 rel67803 or JP_V5_1.2.0 0.9.1 260519 rel52362), run regression tests, and open a pull request against affected workloads. For environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers who have not enabled auto-remediation will see the finding surfaced in their dashboard at CVSS 8.5 HIGH, routed per their compliance policy, so their team can act manually. Because this vulnerability requires an admin session on an adjacent-network interface, compensating controls such as network-policy isolation of the management VLAN and egress filtering on the management interface are available as interim mitigations while patch deployment is evaluated.

See how HarborGuard automates this

Fix available

EU_V5_1.7.0 0.9.1 260518 rel67803JP_V5_1.2.0 0.9.1 260519 rel52362
Patch commits
Affected packages
  • TP-Link Systems Inc. / Archer MR600 v5
    < EU_V5_1.7.0 0.9.1 260518 rel67803 (from 0) · < JP_V5_1.2.0 0.9.1 260519 rel52362 (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References