New TP-Link zero-day surfaces as CISA warns other flaws are exploited

TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks.

The zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who noted that he first reported it to TP-Link on May 11, 2024.

The Chinese networking equipment giant confirmed to BleepingComputer that it is currently investigating the exploitability and exposure of the flaw.

Though a patch is reportedly already developed for European models, work is underway to develop fixes for U.S. and global firmware versions, with no specific date estimates given.

“TP-Link is aware of the recently disclosed vulnerability affecting certain router models, as reported by ByteRay,” reads the statement TP-Link Systems Inc. sent to BleepingComputer.

“We take these findings seriously and have already developed a patch for impacted European models. Work is currently underway to adapt and expedite updates for U.S. and other global versions.”

“Our technical team is also reviewing the reported findings in detail to confirm device exposure criteria and deployment conditions, including whether CWMP is enabled by default.”

“We strongly encourage all users to keep their devices updated with the latest firmware as it becomes available via our official support channels.”

The vulnerability, which doesn’t have a CVE-ID assigned to it yet, is a stack-based buffer overflow in TP-Link’s CWMP (CPE WAN Management Protocol) implementation on an unknown number of routers.

Researcher Mehrun, who found the flaw through automated taint analysis of router binaries, explains that it lies in a function that handles SOAP SetParameterValues messages.

The problem is caused by a lack of bounds checking in ‘strncpy’ calls, making it possible to achieve remote code execution via buffer overflow when the stack buffer size is above 3072 bytes.

Mehrun says a realistic attack would be to redirect vulnerable devices to a malicious CWMP server and then deliver the oversized SOAP payload to trigger the buffer overflow.

This is achievable by exploiting flaws in outdated firmware or accessing the device by using default credentials that the users haven’t changed.

Once compromised via RCE, the router can be instructed to reroute DNS queries to malicious servers, silently intercept or manipulate unencrypted traffic, and inject malicious payloads into web sessions.

The researcher confirmed through testing that TP-Link Archer AX10 and Archer AX1500 use vulnerable CWMP binaries. Both are highly popular router models that are currently available for sale in multiple markets.

Mehrun also noted that EX141, Archer VR400, TD-W9970, and possibly several other router models from TP-Link are potentially affected.

Until TP-Link determines which devices are vulnerable and releases fixes for them, users should change default admin passwords, disable CWMP if not needed, and apply the latest firmware update for their device. If possible, segment the router from critical networks.

CISA warns of exploited TP-Link flaws

Yesterday, CISA added two other TP-Link flaws, tracked CVE-2023-50224 and CVE-2025-9377, to the Known Exploited Vulnerability catalog that the Quad7 botnet has exploited to compromise routers.

CVE-2023-50224 is an authentication bypass flaw, and CVE-2025-9377 is a command injection flaw. When chained together, they allow threat actors to gain remote code execution on vulnerable TP-Link devices.

Since 2023, the Quad7 botnet has been exploiting the flaws to install custom malware on routers that convert them into proxies and traffic relays.

Chinese threat actors have been using these compromised routers to proxy, or relay, malicious attacks while blending in with legitimate traffic to evade detection.

In 2024, Microsoft observed threat actors using the botnet to perform password spray attacks on cloud services and Microsoft 365, aiming to steal credentials.