CVE-2025-9961
published 2025-09-06CVE-2025-9961: An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500. The exploit can only be conducted via a…
PriorityP259high8.6CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
9.82%
95.0th percentile
An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.
The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.
This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link_systems_inc | ax10_v1_v1.2_v2_v2.6_v3_v3.6 | < 1.2.1 | 1.2.1 |
| tp-link_systems_inc | ax1500_v1_v1.20_v1.26_v1.60_v1.80_v2.60_v3.6 | < 1.3.11 | 1.3.11 |
Detection & IOCsextracted from sources · hover to see the quote
cookiegenieacs-ui-jwt
url/api/devices/
commandsetParameterValues
otherInternetGatewayDevice.DeviceInfo.ProvisioningCode
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link AX10/1500 Remote Code Execution via GenieACS (CVE-2025-9961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|api|2f|devices|2f|"; pcre:"/^[a-z0-9A-Z]{6}-[a-z0-9A-Z]{3}-[a-z0-9A-Z]{12}\x2ftasks/R"; http.cookie; content:"genieacs-ui-jwt"; startswith; http.request_body; content:"setParameterValues"; content:"InternetGatewayDevice.DeviceInfo.ProvisioningCode"; fast_pattern; reference:url,blog.byteray.co.uk/exploiting-zero-day-cve-2025-9961-in-the-tp-link-ax10-router-8745f9af9c46; reference:cve,2025-9961; classtype:web-application-attack; sid:2065809; rev:1; metadata:affected_product TPLINK, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_11_18, cve CVE_2025_9961, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_18; target:dest_ip;)- →Exploit is delivered via HTTP POST to the GenieACS API endpoint matching the URI pattern /api/devices/<6char>-<3char>-<12char>/tasks (CWMP device ID format)
- →Exploit request body contains both 'setParameterValues' and 'InternetGatewayDevice.DeviceInfo.ProvisioningCode' — inspect HTTP POST bodies to GenieACS for this combination
- →Presence of 'genieacs-ui-jwt' cookie at the start of the Cookie header indicates an authenticated GenieACS session is being abused; monitor for this cookie on inbound requests to networking equipment management interfaces
- →Attack requires a Man-In-The-Middle (MITM) position; detection should also consider TLS-decrypted traffic (metadata tag: tls_state TLSDecrypt / deployment SSLDecrypt) ↗
- →Exploitation targets the CWMP binary on TP-Link AX10 and AX1500 devices; focus monitoring on CWMP/TR-069 traffic flows to/from these device models ↗
- ·The Snort/Suricata rule (sid:2065809) requires TLS inspection to be effective, as the metadata explicitly flags 'tls_state TLSDecrypt' and 'deployment SSLDecrypt' — the rule will miss attacks over encrypted HTTPS without SSL decryption in the sensor pipeline
- ·Affected firmware versions are AX10 V1/V1.2/V2/V2.6/V3/V3.6 before 1.2.1 and AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6 before 1.3.11; detections should be scoped to these device/version combinations ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT TP-Link AX10/1500 Remote Code Execution via GenieACS (CVE-2025-9961)
suricata·2025-11-18·CVSS 8.6
CVE-2025-9961 [HIGH] ET EXPLOIT TP-Link AX10/1500 Remote Code Execution via GenieACS (CVE-2025-9961)
ET EXPLOIT TP-Link AX10/1500 Remote Code Execution via GenieACS (CVE-2025-9961)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link AX10/1500 Remote Code Execution via GenieACS (CVE-2025-9961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|api|2f|devices|2f|"; pcre:"/^[a-z0-9A-Z]{6}-[a-z0-9A-Z]{3}-[a-z0-9A-Z]{12}\x2ftasks/R"; http.cookie; content:"genieacs-ui-jwt"; startswith; http.request_body; content:"setParameterValues"; content:"InternetGatewayDevice.DeviceInfo.ProvisioningCode"; fast_pattern; reference:url,blog.byteray.co.uk/exploiting-zero-day-cve-2025-9961-in-the-tp-link-ax10-router-8745f9af9c46; reference:cve,2025-9961; classtype:web-application-attack; sid:2065809; rev:1; metadata:affected_product TPLINK, attack_target Networking
No public exploits indexed.
No writeups or analysis indexed.
2025-09-06
Published