CISA has added three critical TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
At the same time, independent researchers have disclosed a separate zero-day flaw in TP-Link’s CWMP implementation that remains unpatched and exploitable.
CISA warns of attacks against TP-Link IoTs
The most severe of the newly listed flaws is CVE-2025-9377, an OS command injection vulnerability affecting the Parental Control page in TP-Link Archer C7(EU) and TL-WR841N/ND(MS) routers. Exploitation of this flaw enables remote code execution (RCE) when attackers tamper with the url_0 parameter. According to French cybersecurity firm Sekoia.io, this vulnerability was part of an exploit chain used by Chinese state-linked actors behind the Quad 7 botnet, which leveraged compromised SOHO routers to conduct password-spraying attacks against Microsoft 365 accounts.
The exploit chain began with CVE-2023-50224, an authentication bypass by spoofing vulnerability in the same TL-WR841N router line. Attackers could exploit this flaw by accessing the HTTP management interface (usually on TCP port 80) to obtain credentials stored in /tmp/dropbear/dropbearpwd, then replay them in HTTP Basic authentication requests. Once authenticated, they executed commands using the CVE-2025-9377 injection point.
The third KEV-listed issue, CVE-2020-24363, targets the TP-Link TL-WA855RE range extender. This vulnerability allows unauthenticated attackers on the local network to trigger a factory reset and reboot via a TDDP_RESET POST request. After reboot, an attacker can set a new admin password and take control of the device. Firmware fixes have been available since 2020, but many devices remain unpatched and targeted in actual attacks.
TP-Link confirmed exploitation of these devices, including TL-WR841N/ND and Archer C7. Despite them being end-of-life (EOL) and end-of-service (EOS), the company has released emergency firmware patches, available via its support site, and strongly recommends users discontinue usage if mitigation is not possible.
Unpatched zero-day flaw
While the above vulnerabilities have fixes available, a newly disclosed zero-day vulnerability in TP-Link’s implementation of the CWMP (TR-069) protocol remains unpatched and poses a severe risk to over 4,000 internet-exposed routers.
Discovered in January 2025 by an independent researcher known as Mehrun and reported to TP-Link in May, the flaw is a stack-based buffer overflow in the CWMP binary used in TP-Link Archer AX10 and AX1500 routers. The vulnerability arises in the way the firmware processes cwmp:SetParameterValues SOAP messages. Unsanitized input is used to compute a buffer size for a strncpy operation, allowing attackers to trigger a controlled overflow and hijack execution flow via remote code execution.
A working proof-of-concept exploit confirmed that a 4096-byte payload can crash the cwmp service and overwrite the program counter. Devices tested, including Archer AX10 V1/V2 and AX1500, are all confirmed vulnerable. The CWMP binary appears to be reused across multiple TP-Link product lines, suggesting the flaw could impact additional models.
Until TP-Link releases a patch for the CWMP zero-day, users of affected models remain exposed to high-risk remote code execution scenarios. Hence, it is recommended to disable remote administration, change default admin credentials, monitor for unusual network activity, or avoid using potentially impacted devices in critical environments.
Leave a Reply