CISA Warns of Active Exploits as New TP-Link Zero-Day Vulnerability Emerges
While CISA cautions that other router vulnerabilities have been used in attacks, TP-Link has verified the existence of an unpatched zero-day vulnerability affecting several router models.
Mehrun (ByteRay), a freelance threat researcher, found the zero-day vulnerability and submitted it to TP-Link on May 11, 2024.
News4Hackers was informed by the Chinese networking equipment company that it is now looking into the vulnerability’s disclosure and exploitability.
Work is in progress to create updates for U.S. and international firmware versions, though no precise timeline has been provided, despite the fact that a patch is allegedly already built for European models.
According to the statement that TP-Link Systems Inc. issued to News4Hackers, “TP-Link is aware of the recently disclosed vulnerability affecting certain router models, as reported by ByteRay.”
We have already created a fix for the affected European models because we take these findings seriously. Currently, efforts are being made to modify and speed up updates for the US and other international versions.
“To verify device exposure criteria and deployment conditions, including whether CWMP is enabled by default, our technical team is also thoroughly examining the reported findings.”
“We strongly advise all users to use our official support channels to keep their devices updated with the most recent firmware as it becomes available.”
A stack-based buffer overflow in TP-Link’s CWMP (CPE WAN Management Protocol) implementation on an unspecified number of routers is the issue, which has not yet been assigned a CVE-ID.
The vulnerability is located in a function that processes SOAP SetParameterValues messages, according to researcher Mehrun, who discovered it using automated taint analysis of router binaries.
When the stack buffer size exceeds 3072 bytes, buffer overflow can be leveraged to accomplish remote code execution due to a lack of bounds checking in “strncpy” calls.
Redirecting susceptible devices to a malevolent CWMP server and then sending the enormous SOAP payload to cause the buffer overflow, according to Mehrun, is a plausible attack strategy.
This can be accomplished by taking advantage of vulnerabilities in out-of-date firmware or by gaining access to the device using the default login credentials that the user hasn’t modified.
The vulnerability is located in a function that processes SOAP SetParameterValues messages, according to researcher Mehrun, who discovered it using automated taint analysis of router binaries.
When the stack buffer size exceeds 3072 bytes, buffer overflow can be leveraged to accomplish remote code execution due to a lack of bounds checking in “strncpy” calls.
Redirecting susceptible devices to a malevolent CWMP server and then sending the enormous SOAP payload to cause the buffer overflow, according to Mehrun, is a plausible attack strategy.
This can be accomplished by taking advantage of vulnerabilities in out-of-date firmware or by gaining access to the device using the default login credentials that the user hasn’t modified.
Once the router has been exploited using RCE, it may be made to quietly intercept or alter unencrypted traffic, reroute DNS searches to malicious domains, and insert malicious payloads into web sessions.
The use of vulnerable CWMP binaries by TP-Link Archer AX10 and Archer AX1500 was verified by the researcher through testing. These are two really well-liked router models that are sold in a number of markets right now.
Mehrun said that the TD-W9970, Archer VR400, EX141, and perhaps a few other TP-Link router models are also impacted.
Users should upgrade their device’s firmware, change their default admin passwords, and disable CWMP if not in use until TP-Link identifies which devices are at risk and publishes patches for them. Divide the router from important networks if at all possible.
CISA warns of exploited TP-Link flaws
Two more TP-Link vulnerabilities, labeled CVE-2023-50224 and CVE-2025-9377, were added by CISA yesterday to the list of known exploited vulnerabilities that the Quad7 botnet has used to infiltrate routers.
CVE-2025-9377 is a command injection vulnerability, and CVE-2023-50224 is an authentication bypass vulnerability. Together, they give threat actors the ability to remotely execute code on TP-Link devices that are susceptible.
The Quad7 botnet has been taking advantage of the vulnerabilities since 2023 to infect routers with unique software that turns them into traffic relays and proxies.
In order to avoid detection, Chinese threat actors have been leveraging these hijacked routers to transport malicious assaults through a proxy or by blending in with legal data.
Microsoft saw threat actors use the botnet in 2024 to launch password spray attacks against Microsoft 365 and cloud services with the goal of stealing credentials.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
About Author
English