On September 3, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
Details of the Vulnerabilities:
1. CVE-2023-50224: This vulnerability, with a CVSS score of 6.5, is an authentication bypass issue within the HTTP daemon (httpd) service of the TP-Link TL-WR841N router. By default, this service listens on TCP port 80. Exploitation of this flaw can lead to unauthorized access and disclosure of stored credentials located in the /tmp/dropbear/dropbearpwd directory.
2. CVE-2025-9377: Assigned a CVSS score of 8.6, this is an operating system command injection vulnerability present in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers. Successful exploitation could allow remote code execution, granting attackers control over the affected devices.
Affected Models and End-of-Life Status:
According to TP-Link’s official website, the following router models have reached their end-of-life (EoL) status:
– TL-WR841N (versions 10.0 and 11.0)
– TL-WR841ND (version 10.0)
– Archer C7 (versions 2.0 and 3.0)
Despite these models being EoL, TP-Link released firmware updates addressing these vulnerabilities in November 2024 due to observed malicious exploitation activities.
TP-Link’s Official Statement:
TP-Link has acknowledged the vulnerabilities and the associated risks. The company stated, The affected products have reached their End-of-Service (EOS) and are no longer receiving active support, including security updates. They further recommended that customers upgrade to newer hardware to ensure optimal performance and security.
Exploitation and Associated Threats:
While there are no public reports explicitly detailing the exploitation of these vulnerabilities, TP-Link’s advisory updated last week links in-the-wild activity to a botnet known as Quad7 (also referred to as CovertNetwork-1658). This botnet has been utilized by a China-linked threat actor, codenamed Storm-0940, to conduct highly evasive password spray attacks.
Recommendations and Mitigation Measures:
In response to the active exploitation of these vulnerabilities, CISA has urged Federal Civilian Executive Branch (FCEB) agencies to implement necessary mitigations by September 24, 2025, to secure their networks.
Additional Context:
This development follows CISA’s recent addition of another high-severity security flaw affecting TP-Link TL-WA855RE Wi-Fi Range Extender products (CVE-2020-24363, CVSS score: 8.8) to its KEV catalog, citing evidence of active exploitation.
Conclusion:
The identification and active exploitation of these vulnerabilities underscore the critical importance of timely firmware updates and hardware upgrades. Users of affected TP-Link routers are strongly advised to apply the available firmware updates or consider upgrading to newer, supported hardware to maintain network security.
