cbcvebase.
CVE-2025-9961
published 2025-09-06

CVE-2025-9961: An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500. The exploit can only be conducted via a…

PriorityP259high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
9.82%
95.0th percentile
An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500. The exploit can only be conducted via a Man-In-The-Middle (MITM) attack. This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.

Affected

2 ranges
VendorProductVersion rangeFixed in
tp-link_systems_incax10_v1_v1.2_v2_v2.6_v3_v3.6< 1.2.11.2.1
tp-link_systems_incax1500_v1_v1.20_v1.26_v1.60_v1.80_v2.60_v3.6< 1.3.111.3.11

Detection & IOCsextracted from sources · hover to see the quote

cookiegenieacs-ui-jwt
url/api/devices/
commandsetParameterValues
otherInternetGatewayDevice.DeviceInfo.ProvisioningCode
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link AX10/1500 Remote Code Execution via GenieACS (CVE-2025-9961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|api|2f|devices|2f|"; pcre:"/^[a-z0-9A-Z]{6}-[a-z0-9A-Z]{3}-[a-z0-9A-Z]{12}\x2ftasks/R"; http.cookie; content:"genieacs-ui-jwt"; startswith; http.request_body; content:"setParameterValues"; content:"InternetGatewayDevice.DeviceInfo.ProvisioningCode"; fast_pattern; reference:url,blog.byteray.co.uk/exploiting-zero-day-cve-2025-9961-in-the-tp-link-ax10-router-8745f9af9c46; reference:cve,2025-9961; classtype:web-application-attack; sid:2065809; rev:1; metadata:affected_product TPLINK, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_11_18, cve CVE_2025_9961, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_18; target:dest_ip;)
  • Exploit is delivered via HTTP POST to the GenieACS API endpoint matching the URI pattern /api/devices/<6char>-<3char>-<12char>/tasks (CWMP device ID format)
  • Exploit request body contains both 'setParameterValues' and 'InternetGatewayDevice.DeviceInfo.ProvisioningCode' — inspect HTTP POST bodies to GenieACS for this combination
  • Presence of 'genieacs-ui-jwt' cookie at the start of the Cookie header indicates an authenticated GenieACS session is being abused; monitor for this cookie on inbound requests to networking equipment management interfaces
  • Attack requires a Man-In-The-Middle (MITM) position; detection should also consider TLS-decrypted traffic (metadata tag: tls_state TLSDecrypt / deployment SSLDecrypt)
  • Exploitation targets the CWMP binary on TP-Link AX10 and AX1500 devices; focus monitoring on CWMP/TR-069 traffic flows to/from these device models
  • ·The Snort/Suricata rule (sid:2065809) requires TLS inspection to be effective, as the metadata explicitly flags 'tls_state TLSDecrypt' and 'deployment SSLDecrypt' — the rule will miss attacks over encrypted HTTPS without SSL decryption in the sensor pipeline
  • ·Affected firmware versions are AX10 V1/V1.2/V2/V2.6/V3/V3.6 before 1.2.1 and AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6 before 1.3.11; detections should be scoped to these device/version combinations
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.