Ethical Hacking News
A zero-day flaw in TP-Link's CWMP implementation has been exposed, allowing threat actors to achieve remote code execution via buffer overflow. Experts urge users to patch their devices immediately and warn of the ongoing exploitation of other vulnerabilities by the Quad7 botnet.
TP-Link's CWMP implementation has a zero-day flaw discovered by independent threat researcher Mehrun (ByteRay).The vulnerability can be exploited for remote code execution via buffer overflow.The issue lies in the lack of bounds checking in 'strncpy' calls, making it possible for attackers to execute malicious code remotely.Outdated firmware and default credentials that users have not changed are also vulnerable to this exploit.Specifically affected router models include TP-Link Archer AX10 and AX1500, as well as EX141, Archer VR400, and TD-W9970.Users should change default admin passwords, disable CWMP if not needed, and apply latest firmware updates to mitigate the issue.CISA has added two other TP-Link flaws to its Known Exploited Vulnerability catalog, CVE-2023-50224 and CVE-2025-9377.
In a recent development that highlights the ongoing struggle against cybersecurity threats, a zero-day flaw in TP-Link's CWMP (CPE WAN Management Protocol) implementation has been discovered. This vulnerability was identified by independent threat researcher Mehrun (ByteRay), who first reported it to TP-Link on May 11, 2024. The discovery of this zero-day flaw has sparked concerns among security experts and users alike, as it can be exploited to achieve remote code execution via buffer overflow.
According to Mehrun, the vulnerability lies in a function that handles SOAP SetParameterValues messages. This problem is caused by a lack of bounds checking in 'strncpy' calls, making it possible for attackers to execute malicious code remotely by delivering oversized SOAP payload to trigger the buffer overflow. Furthermore, Mehrun noted that this vulnerability can be achieved by exploiting flaws in outdated firmware or accessing devices using default credentials that users have not changed.
Furthermore, research has shown that TP-Link Archer AX10 and Archer AX1500 use vulnerable CWMP binaries, both of which are highly popular router models currently available for sale in multiple markets. Additionally, Mehrun also noted that EX141, Archer VR400, TD-W9970, and possibly several other router models from TP-Link may be potentially affected.
Until TP-Link determines which devices are vulnerable and releases fixes for them, users should change default admin passwords, disable CWMP if not needed, and apply the latest firmware update for their device. If possible, segmenting the router from critical networks can also mitigate potential damage.
CISA recently added two other TP-Link flaws, tracked CVE-2023-50224 and CVE-2025-9377, to the Known Exploited Vulnerability catalog that the Quad7 botnet has exploited to compromise routers. CVE-2023-50224 is an authentication bypass flaw, while CVE-2025-9377 is a command injection flaw. When chained together, they allow threat actors to gain remote code execution on vulnerable TP-Link devices.
The Quad7 botnet has been exploiting these flaws since 2023 to install custom malware on routers that convert them into proxies and traffic relays. Chinese threat actors have used these compromised routers to proxy malicious attacks while blending in with legitimate traffic to evade detection. In 2024, Microsoft observed threat actors using the botnet to perform password spray attacks on cloud services and Microsoft 365, aiming to steal credentials.
These recent developments underscore the ongoing importance of staying up-to-date with the latest software patches and ensuring that devices are secure. As security threats continue to evolve, it is essential for users to remain vigilant and take proactive steps to protect themselves against potential vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/New-TP-Link-Zero-Day-Flaw-Exposed-CISA-Warns-of-Exploited-Flaws-and-Urges-Users-to-Patch-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-tp-link-zero-day-surfaces-as-cisa-warns-other-flaws-are-exploited/
https://nvd.nist.gov/vuln/detail/CVE-2023-50224
https://www.cvedetails.com/cve/CVE-2023-50224/
https://nvd.nist.gov/vuln/detail/CVE-2025-9377
https://www.cvedetails.com/cve/CVE-2025-9377/
Published: Thu Sep 4 11:31:52 2025 by llama3.2 3B Q4_K_M
