TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) simultaneously warns that other, distinct TP-Link flaws are being actively exploited in attacks by a sophisticated threat actor1. This situation presents a multi-faceted threat to network security, involving both an emerging risk from a new vulnerability and an immediate threat from ongoing campaigns targeting known weaknesses. The convergence of these events highlights persistent security challenges within consumer and small office/home office (SOHO) networking equipment, particularly devices that have reached end-of-life status but remain widely deployed.
The newly disclosed zero-day is a stack-based buffer overflow vulnerability within TP-Link’s implementation of the CPE WAN Management Protocol (CWMP)1. The flaw was discovered by independent threat researcher Mehrun (ByteRay), who reported it to the vendor on May 11, 2024. The root cause stems from a lack of bounds checking in `strncpy` function calls when the device processes SOAP `SetParameterValues` messages. Successful exploitation, which requires redirecting a vulnerable device to a malicious CWMP server to deliver an oversized SOAP payload, can lead to remote code execution (RCE) if the target stack buffer size exceeds 3072 bytes. TP-Link has confirmed the Archer AX10 and Archer AX1500 models are affected, with the EX141, Archer VR400, and TD-W9970 models also potentially vulnerable. A patch has been developed for European firmware versions, with work ongoing for U.S. and global releases1.
CISA Warns of Actively Exploited TP-Link Flaws
In a separate but related development, CISA added two TP-Link vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on September 3-4, 2025, citing evidence of active exploitation in the wild2. The first flaw, CVE-2023-50224 (CVSS 6.5), is an authentication bypass in the httpd service of TP-Link TL-WR841N routers. This vulnerability allows an attacker to access the file `/tmp/dropbear/dropbearpwd` and disclose user credentials. The second, more severe flaw is CVE-2025-9377 (CVSS 8.6), a command injection vulnerability that also leads to remote code execution. These vulnerabilities affect the TL-WR841N, TL-WR841ND, and certain versions of the Archer C7 router, some of which are end-of-life (EoL) and will not receive patches.
Quad7 Botnet Campaign and Espionage Objectives
Analysis by security researchers attributes the exploitation of these vulnerabilities to the Quad7 botnet, also tracked as CovertNetwork-1658, which has links to the Chinese threat actor Storm-09402. Unlike typical botnets focused on DDoS or cryptomining, this campaign has a more focused espionage objective. The threat actors exploit the vulnerabilities to install custom malware on compromised routers, effectively converting them into covert proxies. These proxy nodes are then used to conduct credential theft and password spray attacks against various cloud services, providing the actors with a resilient and difficult-to-trace infrastructure for their operations.
Legacy and End-of-Life Devices Pose Significant Risk
The problem is compounded by the widespread use of end-of-life hardware. CISA also added CVE-2020-24363 (CVSS 8.8) to its KEV catalog3. This is a missing authentication vulnerability in the TP-Link TL-WA855RE Wi-Fi extender that allows an attacker on the same local network to perform a factory reset and set a new administrative password. Although a patch was issued in July 2020 (firmware version `TL-WA855RE(EU)_V5_200731`), the device is now end-of-life and no longer supported, leaving users without a security update path. This follows a previous CISA directive from June 2025 regarding CVE-2023-33538, a command injection bug in several EoL TP-Link router models (TL-WR940N, TL-WR841N, TL-WR740N) that also required federal agencies to replace the affected hardware4.
Immediate Mitigation and Response Strategies
In response to the active exploitation, CISA has issued binding operational directives for all Federal Civilian Executive Branch (FCEB) agencies. Agencies are required to apply mitigations for CVE-2023-50224 and CVE-2025-9377 by September 24, 2025, and for CVE-2020-24363 by September 23, 202523. For the broader public and enterprise users, TP-Link and security researchers recommend a series of immediate actions. For the unpatched zero-day, users should change the router’s default administrative password, disable the CWMP (often labeled TR-069 or Auto-CFG) service if it is not required by their internet service provider, apply the latest available firmware update, and consider segmenting the router away from critical internal networks. For the exploited vulnerabilities, TP-Link additionally advises users to reboot and restore their router to refresh access to the local management interface and to avoid using remote management features, opting instead for the official Tether mobile app for configuration2.
The persistence of these attacks against both new and legacy TP-Link devices underscores a systemic issue in the IoT security lifecycle. The high level of public concern was evidenced by significant engagement on a CyberNews Facebook post summarizing the CISA warnings, which garnered nearly 200 reactions and dozens of shares and comments5. User discussions reflected a mix of practical security advice and broader geopolitical concerns regarding hardware provenance. For security professionals, this incident reinforces the need for robust asset management, including the prompt identification and decommissioning of end-of-life network hardware, and the implementation of network segmentation to limit the blast radius of a compromised device. Continuous monitoring for anomalous outbound traffic, which may indicate a device has been co-opted into a proxy botnet, is also critical.
