CVE-2025-9377
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-11-03
Assigner: TPLink
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tp-link | tl-wr841n_firmware | to 241108 (exc) |
| tp-link | tl-wr841n | v9 |
| tp-link | tl-wr841nd_firmware | to 241108 (exc) |
| tp-link | tl-wr841nd | 9 |
| tp-link | archer_c7_firmware | to 241108 (exc) |
| tp-link | archer_c7 | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9377 is an authenticated remote command execution (RCE) vulnerability found in the Parental Control page of certain TP-Link routers, specifically the Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 models. Attackers who gain access to the router's management interface can exploit this vulnerability by injecting commands via the url_0 parameter, allowing them to execute arbitrary commands on the device remotely. This vulnerability is part of a chained exploit used by the Quad 7 botnet, which first obtains credentials through another vulnerability and then uses those credentials to authenticate and exploit CVE-2025-9377. [2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to remotely execute arbitrary commands on your affected TP-Link router if they gain authenticated access, potentially leading to full control over the device. This can result in unauthorized changes to your network settings, interception or redirection of your internet traffic, and the router being used as part of a botnet for further attacks, such as password spraying against Microsoft 365 accounts. The risk is higher if remote administration is enabled and exposed to the internet, which is not the default setting. Since the affected devices are End of Life, they no longer receive security updates, increasing the risk if patches are not applied or the device is not replaced. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your TP-Link router is running vulnerable firmware versions (before 241108 for Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) and if the remote administration interface is enabled and exposed to the internet. Since the exploit involves command injection via the Parental Control page's url_0 parameter, monitoring for unusual HTTP requests targeting this page or unexpected command execution behavior could indicate exploitation attempts. Additionally, checking for signs of the Quad 7 (7777) botnet activity, such as unusual outbound traffic or password spray attempts against Microsoft 365 accounts, may help detect compromise. Specific commands are not provided in the resources, but network administrators should review router firmware versions, disable remote administration, and monitor logs for suspicious activity. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the router firmware to the patched versions provided by TP-Link for the affected models (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) available at the links in Resource 1. If updating firmware is not possible, users should disable remote administration over the internet to prevent exploitation. Additionally, rebooting and restoring the router to ensure proper access to the local management webpage is recommended. For longer-term security, TP-Link advises purchasing newer hardware since these models are End of Life and will not receive further security updates. [1, 2]