Two vulnerabilities affecting TP-Link routers, CVE-2023-50224 and CVE-2025-9377, have been flagged as actively exploited in the wild, prompting urgent attention from security professionals. Both flaws have been added to the Known Exploited Vulnerabilities (KEV) catalog, underscoring their critical nature.
CVE-2023-50224, a medium-severity vulnerability with a CVSS score of 6.5, affects the TP-Link TL-WR841N router. This flaw, identified as an improper authentication information disclosure vulnerability, allows network-adjacent attackers to access sensitive information without needing authentication. The vulnerability was disclosed on May 3, 2024, and has been exploited within 487 days of its disclosure.
CVE-2025-9377, a high-severity vulnerability with a CVSS score of 7.2, impacts multiple TP-Link routers, including the Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 models. This zero-day vulnerability involves an authenticated remote command execution (RCE) flaw located in the Parental Control page of the affected routers. Notably, this vulnerability was exploited before its disclosure on August 29, 2025, highlighting its critical nature and the need for immediate mitigation.
Both vulnerabilities have been marked with an "attend" status in the Stakeholder-Specific Vulnerability Categorization (SSVC), indicating the necessity for immediate action. The affected TP-Link models have reached end-of-life status, complicating patching efforts. Security teams should prioritize identifying and mitigating these vulnerabilities, especially given their active exploitation status. Organizations using these routers should consider replacing them with supported models or implementing network segmentation to mitigate potential risks.
CSURFACE