CISA Warns TP-Link Vulnerabilities Exploited in Active Cyberattacks

The Cybersecurity and Infrastructure Security Agency (CISA) has added two severe TP-Link router flaws to its Known Exploited Vulnerabilities (KEV) catalog, alerting users to immediate risks.

Millions of home and small business networks leveraging popular TP-Link models are exposed to active exploitation by threat actors.

Technical Breakdown and Mitigation

CISA’s actor highlights two critical vulnerabilities requiring prompt remediation.

Both issues were cataloged and carry a mandatory fix deadline of September 24, 2025, for federal agencies under the Binding Operational Directive 22-01.

Remaining on outdated firmware escalates the risk of full system compromise or unauthorized access to sensitive credentials.

CVE ID	Affected Models	Vulnerability Type	CWE	Date Added	Due Date
CVE-2025-9377	Archer C7(EU), TL-WR841N/ND(MS)	OS Command Injection	CWE-78	2025-09-03	2025-09-24
CVE-2023-50224	TL-WR841N	Authentication Bypass by Spoofing	CWE-290	2025-09-03	2025-09-24

CVE-2025-9377 resides in the Parental Control page of the router’s web administration interface.

This OS command injection flaw allows attackers to submit crafted input, triggering the underlying operating system to execute arbitrary commands with root privileges.

Exploitation of this weakness can yield complete device takeover, persistence, and lateral movement within local networks.

The second flaw, CVE-2023-50224, targets the httpd service on TCP port 80 of the TL-WR841N model.

Through spoofed authentication tokens, adversaries can bypass login controls, access stored user credentials, and manipulate administrative functions.

Classified as an authentication bypass via spoofing, this vulnerability undermines the integrity of the router’s credential validation, enabling unauthorized configuration changes and firmware tampering.

Both affected models are nearing or have reached end-of-life (EoL) or end-of-service (EoS) status.

Absent manufacturer security updates, these routers remain indefinitely vulnerable, complicating long-term risk management.

Users relying on EoL/EoS devices face heightened exposure to zero-day exploits and unpatched attack vectors.

To mitigate these threats, network administrators and home users should:

1. Identify: Verify device model numbers against the affected list.
2. Discontinue: Immediately cease use of EoL/EoS models.
3. Update: For supported devices, install the latest firmware provided by TP-Link.
4. Harden: Disable remote administration and change default credentials to strong, unique passwords.
5. Monitor: Subscribe to CISA and vendor security advisories for emerging vulnerabilities.
6. Isolate: Segregate legacy devices on dedicated network segments to limit potential compromise.

These incidents underscore the persistent security challenges in consumer networking equipment.

As routers serve as the primary gateway for personal and business data, maintaining up-to-date firmware, implementing network segmentation, and replacing outdated hardware are essential practices.

The active exploitation of these TP-Link flaws reinforces the need for vigilance and rapid response to safeguard critical network infrastructure.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post CISA Warns TP-Link Vulnerabilities Exploited in Active Cyberattacks appeared first on Cyber Security News.