CVE-2025-9377
published 2025-08-29CVE-2025-9377: The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This…
PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-24
Exploited in the wild
EPSS
11.75%
95.5th percentile
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9.
This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108.
Both products have reached the status of EOL (end-of-life).
It's recommending to
purchase the new
product to ensure better performance and security. If replacement is not
an option in the short term, please use the second reference link to
download and install the patch(es).
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_c7_firmware | < 241108 | 241108 |
| tp-link | tl-wr841n_firmware | < 241108 | 241108 |
| tp-link | tl-wr841nd_firmware | < 241108 | 241108 |
| tp-link_systems_inc | archer_c7_v2 | < 241108 | 241108 |
| tp-link_systems_inc | tl-wr841n_nd_v9 | < 241108 | 241108 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-9377 is an OS command injection vulnerability located specifically in the Parental Control page of affected TP-Link routers (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9); focus detection on HTTP requests targeting the Parental Control page with anomalous or shell-metacharacter-containing input. ↗
- →CVE-2025-9377 is chained with CVE-2023-50224 (authentication bypass) to achieve unauthenticated RCE; detection should look for exploitation of both CVEs in sequence against the same source/destination pair. ↗
- →Post-exploitation activity associated with this CVE includes the Quad7 botnet converting compromised routers into proxies and traffic relays; monitor for unexpected outbound proxy/relay traffic from TP-Link router management IPs. ↗
- →Threat actors leveraging compromised routers (via this CVE chain) have been observed conducting password spray attacks against cloud services and Microsoft 365; correlate router compromise indicators with downstream credential-spray telemetry. ↗
- →Chinese threat actors have been observed proxying/relaying malicious attacks through routers compromised via this CVE to blend with legitimate traffic; look for unusual routing or tunneling behaviour originating from TP-Link router management interfaces. ↗
- ·Exploitation requires authentication; however, CVE-2023-50224 (auth bypass) is chained with this CVE to enable unauthenticated RCE — detections should not assume a valid session is required when both CVEs are used together. ↗
- ·Both affected products (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) have reached End-of-Life status; patched firmware (241108) exists but vendor recommends hardware replacement — deployed detections should account for the likelihood that many devices will remain unpatched indefinitely. ↗
- ·CISA's remediation due date is 2025-09-24; after this date, unpatched devices in federal environments should be treated as actively compromised until proven otherwise. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-37mx-8m3f-j8vm: The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9
ghsa_unreviewed·2025-08-29
CVE-2025-9377 [HIGH] CWE-78 GHSA-37mx-8m3f-j8vm: The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9.
This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108.
Both products have reached the status of EOL (end-of-life).
It's recommending to
purchase the new
product to ensure better performance and security. If replacement is not
an option in the short term, please use the second reference link to
download and install the patch(es).
VulnCheck
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
vulncheck·2025·CVSS 8.6
CVE-2025-9377 [HIGH] CWE-78 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: TP-Link Multiple Routers
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.tp-link.com/us/support/faq/4365/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.acn.gov.it/portale/w/rilevato-sfruttamento-in-rete-delle-cve-2023-50224-e-cve
VulnCheck
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
vulncheck·2023·CVSS 6.5
CVE-2023-50224 [MEDIUM] CWE-290 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: TP-Link TL-WR841N
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.tp-link.com/us/support/faq/4365/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.acn.gov.it/portale/w/rilevato-sfrut
CISA
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
cisa·2025-09-03·CVSS 8.6
CVE-2025-9377 [HIGH] CWE-78 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
Vulnerability: TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
Affected: TP-Link Multiple Routers
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-9377
Remediation Due Date: 2025-09-24
No detection rules found.
No public exploits indexed.
Bleepingcomputer
TP-Link warns users to patch critical router auth bypass flaw
blogs_bleepingcomputer·2026-03-25·CVSS 8.6
CVE-2025-15517 [HIGH] TP-Link warns users to patch critical router auth bypass flaw
## TP-Link warns users to patch critical router auth bypass flaw
## Sergiu Gatlan
TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware.
Tracked as CVE-2025-15517 , this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges.
"A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users," TP-Link explained earlier this week when it released security updates that address the vulnerability.
"An attacker may perform privileged HTTP actions without authentication, inclu
Bleepingcomputer
New TP-Link zero-day surfaces as CISA warns other flaws are exploited
blogs_bleepingcomputer·2025-09-04
New TP-Link zero-day surfaces as CISA warns other flaws are exploited
## New TP-Link zero-day surfaces as CISA warns other flaws are exploited
## Bill Toulas
TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks.
The zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who noted that he first reported it to TP-Link on May 11, 2024.
The Chinese networking equipment giant confirmed to BleepingComputer that it is currently investigating the exploitability and exposure of the flaw.
Though a patch is reportedly already developed for European models, work is underway to develop fixes for U.S. and global firmware versions, with no specific date estimates given.
“TP-Link is aware of the recently disclos
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
2025-08-29
Published
2025-09-03
Added to CISA KEV
Exploited in the wild