CVE-2025-9377
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-11-03

Assigner: TPLink

Description
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9377
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
tp-link tl-wr841n_firmware to 241108 (exc)
tp-link tl-wr841n v9
tp-link tl-wr841nd_firmware to 241108 (exc)
tp-link tl-wr841nd 9
tp-link archer_c7_firmware to 241108 (exc)
tp-link archer_c7 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9377 is an authenticated remote command execution (RCE) vulnerability found in the Parental Control page of certain TP-Link routers, specifically the Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 models. Attackers who gain access to the router's management interface can exploit this vulnerability by injecting commands via the url_0 parameter, allowing them to execute arbitrary commands on the device remotely. This vulnerability is part of a chained exploit used by the Quad 7 botnet, which first obtains credentials through another vulnerability and then uses those credentials to authenticate and exploit CVE-2025-9377. [2]

Impact Analysis

This vulnerability can allow attackers to remotely execute arbitrary commands on your affected TP-Link router if they gain authenticated access, potentially leading to full control over the device. This can result in unauthorized changes to your network settings, interception or redirection of your internet traffic, and the router being used as part of a botnet for further attacks, such as password spraying against Microsoft 365 accounts. The risk is higher if remote administration is enabled and exposed to the internet, which is not the default setting. Since the affected devices are End of Life, they no longer receive security updates, increasing the risk if patches are not applied or the device is not replaced. [1, 2]

Detection Guidance

Detection of this vulnerability involves checking if your TP-Link router is running vulnerable firmware versions (before 241108 for Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) and if the remote administration interface is enabled and exposed to the internet. Since the exploit involves command injection via the Parental Control page's url_0 parameter, monitoring for unusual HTTP requests targeting this page or unexpected command execution behavior could indicate exploitation attempts. Additionally, checking for signs of the Quad 7 (7777) botnet activity, such as unusual outbound traffic or password spray attempts against Microsoft 365 accounts, may help detect compromise. Specific commands are not provided in the resources, but network administrators should review router firmware versions, disable remote administration, and monitor logs for suspicious activity. [2]

Mitigation Strategies

Immediate mitigation steps include updating the router firmware to the patched versions provided by TP-Link for the affected models (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) available at the links in Resource 1. If updating firmware is not possible, users should disable remote administration over the internet to prevent exploitation. Additionally, rebooting and restoring the router to ensure proper access to the local management webpage is recommended. For longer-term security, TP-Link advises purchasing newer hardware since these models are End of Life and will not receive further security updates. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart