The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two significant security vulnerabilities affecting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in real-world scenarios.
Detailed Overview of the Vulnerabilities:
1. CVE-2023-50224 (CVSS Score: 6.5): This vulnerability is an authentication bypass issue within the HTTP daemon (`httpd`) service of the TP-Link TL-WR841N router, which typically operates on TCP port 80. Exploitation of this flaw can lead to unauthorized access to stored credentials located in the `/tmp/dropbear/dropbearpwd` directory.
2. CVE-2025-9377 (CVSS Score: 8.6): This is a more severe operating system command injection vulnerability found in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers. Successful exploitation could allow remote code execution, granting attackers full control over the affected devices.
Impacted Devices and End-of-Life Status:
According to TP-Link’s official documentation, the following router models have reached their End-of-Life (EoL) status:
– TL-WR841N (versions 10.0 and 11.0)
– TL-WR841ND (version 10.0)
– Archer C7 (versions 2.0 and 3.0)
Despite these models being EoL, TP-Link released firmware updates addressing these vulnerabilities in November 2024 due to observed malicious exploitation activities. The company advises users that these products are no longer receiving active support, including security updates, and recommends upgrading to newer hardware to ensure optimal performance and security.
Connection to Malicious Activities:
While there are no public reports explicitly detailing the exploitation of these vulnerabilities, TP-Link has linked in-the-wild activities to a botnet known as Quad7 (also referred to as CovertNetwork-1658). This botnet has been utilized by a China-linked threat actor, codenamed Storm-0940, to conduct highly evasive password spray attacks.
CISA’s Recommendations and Deadlines:
In response to the active exploitation of these vulnerabilities, CISA has urged Federal Civilian Executive Branch (FCEB) agencies to implement necessary mitigations by September 24, 2025, to secure their networks.
Additional Context on TP-Link Router Vulnerabilities:
This development follows CISA’s recent addition of another high-severity security flaw affecting TP-Link TL-WA855RE Wi-Fi Range Extender products (CVE-2020-24363, CVSS score: 8.8) to its KEV catalog, citing evidence of active exploitation.
Understanding the Broader Implications:
The exploitation of these vulnerabilities underscores the critical importance of maintaining up-to-date firmware and replacing hardware that has reached its End-of-Life status. Attackers often target outdated devices due to their lack of security updates, making them susceptible to various forms of cyberattacks, including unauthorized access, data breaches, and the establishment of botnets.
Recommendations for Users:
1. Firmware Updates: Users of affected TP-Link routers should immediately apply the latest firmware updates provided by TP-Link to mitigate these vulnerabilities.
2. Hardware Upgrades: For devices that have reached End-of-Life status, it is strongly recommended to upgrade to newer, supported hardware to ensure continued security and performance.
3. Network Monitoring: Regularly monitor network traffic for unusual activities that may indicate exploitation attempts or unauthorized access.
4. Security Best Practices: Implement strong, unique passwords for all network devices, disable unnecessary services, and regularly review and update security configurations.
Conclusion:
The active exploitation of vulnerabilities CVE-2023-50224 and CVE-2025-9377 in TP-Link routers highlights the ongoing challenges in network security, especially concerning outdated hardware. Users and organizations must remain vigilant, ensuring that all network devices are up-to-date and supported to protect against emerging threats.
