CISA has issued a fresh warning for TP-Link router users. On Wednesday, CISA added two serious vulnerabilities impacting TP-Link devices to its Known Exploited Vulnerabilities (KEV) catalog. This means there is credible evidence that cybercriminals are already exploiting these flaws in the wild.
Both vulnerabilities affect popular TP-Link router models that are widely used in homes, small businesses, and offices. Since routers are the first line of defense for any network, these weaknesses could expose users to severe risks, including credential theft and full remote takeover of their devices.
CVE-2023-50224: Authentication Bypass (CVSS 6.5)
This flaw exists in the httpd service of TP-Link TL-WR841N routers, which listens on TCP port 80 by default. Attackers can exploit this weakness to bypass authentication and gain access to sensitive stored credentials located in the file:
/tmp/dropbear/dropbearpwd
If successful, this attack could allow hackers to collect router login details, paving the way for further compromise.
CVE-2025-9377: Command Injection (CVSS 8.6)
This is a more critical issue that affects TP-Link Archer C7 (EU) V2 and TL-WR841N/ND (MS) V9 routers. It allows attackers to perform operating system command injection, which can result in remote code execution (RCE).
In simpler terms, a hacker could gain full control over the affected router, potentially installing malware, redirecting network traffic, or using the device in larger cyberattacks such as botnets.
According to TP-Link’s official website, the following models have already reached End-of-Life (EoL) status, meaning they are no longer actively supported:
-
TL-WR841N (versions 10.0 and 11.0)
-
TL-WR841ND (version 10.0)
-
Archer C7 (versions 2.0 and 3.0)
Despite being EoL, TP-Link released firmware updates in November 2024 to patch these vulnerabilities. This move was necessary because cybercriminals were actively exploiting the flaws.
In a recent security advisory, TP-Link acknowledged the seriousness of these flaws. However, the company emphasized that since these models have already reached their End-of-Service (EOS), they will not receive ongoing security patches or technical support.
TP-Link advised customers to upgrade to newer router models for better performance, stability, and security. The company strongly recommends avoiding outdated devices, especially since attackers are increasingly targeting them due to their unpatched vulnerabilities.
While there are no detailed public reports on specific exploitation campaigns, TP-Link’s advisory linked recent malicious activity to the Quad7 botnet (also known as CovertNetwork-1658).
Researchers have associated this botnet with a China-linked advanced persistent threat (APT) group called Storm-0940. This group has been involved in highly evasive password spray attacks, a tactic where attackers try multiple common passwords across many accounts to gain unauthorized access.
This connection highlights the growing use of compromised routers in state-sponsored cyber operations.
Due to the high risk, CISA has ordered all Federal Civilian Executive Branch (FCEB) agencies to apply mitigations by September 24, 2025. This includes patching affected devices, upgrading hardware, or implementing compensating controls to secure their networks.
For regular users, this deadline serves as an urgent reminder: if you own any of the affected TP-Link models, you should update the firmware immediately or replace the device entirely.
This warning comes just a day after CISA flagged another critical TP-Link issue:
CVE-2020-24363 (CVSS 8.8) – A vulnerability in TP-Link TL-WA855RE Wi-Fi Range Extender devices.
Like the two latest flaws, this older bug is also being actively exploited by threat actors. The repeated targeting of TP-Link products shows how attackers view consumer-grade networking gear as a weak point in cybersecurity defenses.
If you use a TP-Link router, here are some key steps to protect yourself:
Check your model and firmware version – Visit TP-Link’s website or your router settings to confirm if your device is affected.
Apply firmware updates immediately – If a patch is available, install it without delay.
Consider upgrading to newer hardware – End-of-Life devices will not receive future fixes, leaving you permanently exposed.
Secure your router settings – Change default admin passwords, disable remote management if not needed, and enable WPA3 or WPA2 encryption.
Monitor your network for suspicious activity – Look out for unusual bandwidth spikes or unknown devices connected to your router.
The discovery and exploitation of CVE-2023-50224 and CVE-2025-9377 prove once again that outdated networking hardware is a major cybersecurity risk. With CISA confirming real-world exploitation, the threat is no longer theoretical.
For both individuals and organizations, the lesson is clear: keeping routers updated and replacing old devices is essential for security. Hackers are increasingly turning home and office routers into easy entry points for larger cyber campaigns.
By taking proactive steps now, TP-Link users can reduce their exposure and stay one step ahead of cybercriminals.
Interesting Article : Palo Alto Networks Confirms Salesforce Data Breach After OAuth Token Theft
Pingback: Sitecore CVE-2025-53690: CISA Warns of Critical Flaw Allowing Remote Code Execution