What TP-Link vulnerabilities has CISA added to its KEV catalog?

CISA has added three TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-9377 (CVSS 8.6) affecting Archer C7(EU) and TL-WR841N/ND(MS) routers, CVE-2023-50224 (CVSS 6.5) affecting TL-WR841N routers, and CVE-2020-24363 (CVSS 8.8) affecting TL-WA855RE range extenders. These are being actively exploited by threat actors associated with the Quad 7 botnet.

What is CVE-2025-9377 and how does it work?

CVE-2025-9377 is an OS Command Injection vulnerability with a CVSS score of 8.6 that affects TP-Link Archer C7(EU) and TL-WR841N/ND(MS) routers. Exploitation enables remote code execution when attackers manipulate the url_0 parameter, allowing complete device takeover and potential network compromise.

What is CVE-2023-50224 and which devices are affected?

CVE-2023-50224 is an Authentication Bypass by Spoofing vulnerability with a CVSS score of 6.5 affecting TP-Link TL-WR841N routers. The flaw exists in the httpd service on TCP port 80, where improper authentication mechanisms allow unauthenticated, network-adjacent attackers to access stored credentials from `/tmp/dropbear/dropbearpwd` and replay them in HTTP Basic authentication requests.

What is CVE-2020-24363 and what can attackers do with it?

CVE-2020-24363 is a Missing Authentication for Critical Function vulnerability with a CVSS score of 8.8 affecting TP-Link TL-WA855RE range extenders. It allows unauthenticated attackers on the local network to trigger a factory reset and reboot via a TDDP_RESET POST request. After the device reboots, attackers can set new administrative passwords and gain complete control of the device.

What is the Quad 7 botnet?

The Quad 7 botnet, also known as the 7777 botnet, xlogin botnet, or CovertNetwork-1658, is operated by Chinese state-linked threat actors and is actively exploiting the TP-Link router vulnerabilities that CISA has added to its Known Exploited Vulnerabilities catalog.

Attack

TP-Link router flaws exploited by botnet

Q: Is there an additional unpatched TP-Link vulnerability?

Yes, independent security researchers have disclosed a separate zero-day vulnerability in TP-Link's CWMP implementation that remains unpatched and affects thousands of internet-exposed devices.

published: Sept. 4, 2025

Take action: If you're using TP-Link routers, isolate the admin interface from public internet access. Especially if you are running Archer C7, TL-WR841N, or TL-WA855RE. Then update to the latest firmware. Finally, plan to replace any end-of-life models that can't be patched. Such devices will be hacked, given enough time.

Learn More

CISA has added three TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation by threat actors associated with the Quad 7 botnet.

Independent security researchers have disclosed a separate zero-day vulnerability in TP-Link's CWMP implementation that remains unpatched and affects thousands of internet-exposed devices.

Exploited flaws:

CVE-2025-9377 (CVSS score 8.6) - OS Command Injection vulnerability in TP-Link Archer C7(EU) and TL-WR841N/ND(MS) routers. Exploitation of this vulnerability enables remote code execution when attackers manipulate the url_0 parameter, allowing complete device takeover and potential network compromise.
CVE-2023-50224 (CVSS score 6.5) - Authentication Bypass by Spoofing vulnerability in TP-Link TL-WR841N routers. Authentication bypass vulnerability in the TL-WR841N router line that allows unauthenticated, network-adjacent attackers to access stored credentials. The flaw exists in the httpd service listening on TCP port 80, where improper authentication mechanisms enable attackers to retrieve credential pairs stored in /tmp/dropbear/dropbearpwd and replay them in HTTP Basic authentication requests.
CVE-2020-24363 (CVSS score 8.8) - Missing Authentication for Critical Function vulnerability in TP-Link TL-WA855RE range extenders. It allows unauthenticated attackers on the local network to trigger a factory reset and reboot via a TDDP_RESET POST request. After the device reboots, attackers can set new administrative passwords and gain complete control of the device.

The exploitation campaign has been attributed to Chinese state-linked threat actors operating the Quad 7 botnet, also known as the 7777 botnet, xlogin botnet, or CovertNetwork-1658.

Organizations and users operating affected TP-Link devices should disable remote administration interfaces or restrict access to specific IP addresses, update firmware to the latest available versions and consider replacing end-of-life devices with supported alternatives where possible.

TP-Link router flaws exploited by botnet

Read More
SolarWinds Web Help Desk bug being actively attacked
Cyber espionage group exploits WPS Office vulnerability
Critical Privilege Escalation Vulnerability Reported in WordPress User …
DeFI Exchange Balancer under active attack, asks users …
Hackers are attacking a critical RCE flaw in …