TP-Hyperlink has confirmed the existence of an unpatched zero-day vulnerability impacting a number of router fashions, as CISA warns that different router flaws have been exploited in assaults.
The zero-day vulnerability was found by unbiased risk researcher Mehrun (ByteRay), who famous that he first reported it to TP-Hyperlink on Could 11, 2024.
The Chinese language networking gear large confirmed to BleepingComputer that it’s at the moment investigating the exploitability and publicity of the flaw.
Although a patch is reportedly already developed for European fashions, work is underway to develop fixes for U.S. and world firmware variations, with no particular date estimates given.
“TP-Hyperlink is conscious of the lately disclosed vulnerability affecting sure router fashions, as reported by ByteRay,” reads the assertion TP-Hyperlink Methods Inc. despatched to BleepingComputer.
“We take these findings critically and have already developed a patch for impacted European fashions. Work is at the moment underway to adapt and expedite updates for U.S. and different world variations.”
“Our technical staff can be reviewing the reported findings intimately to substantiate gadget publicity standards and deployment situations, together with whether or not CWMP is enabled by default.”
“We strongly encourage all customers to maintain their units up to date with the most recent firmware because it turns into accessible through our official help channels.”
The vulnerability, which doesn’t have a CVE-ID assigned to it but, is a stack-based buffer overflow in TP-Hyperlink’s CWMP (CPE WAN Administration Protocol) implementation on an unknown variety of routers.
Researcher Mehrun, who discovered the flaw by means of automated taint evaluation of router binaries, explains that it lies in a operate that handles SOAP SetParameterValues messages.
The issue is brought on by an absence of bounds checking in ‘strncpy’ calls, making it attainable to attain distant code execution through buffer overflow when the stack buffer measurement is above 3072 bytes.
Mehrun says a practical assault could be to redirect susceptible units to a malicious CWMP server after which ship the outsized SOAP payload to set off the buffer overflow.
That is achievable by exploiting flaws in outdated firmware or accessing the gadget through the use of default credentials that the customers haven’t modified.
As soon as compromised through RCE, the router might be instructed to reroute DNS queries to malicious servers, silently intercept or manipulate unencrypted visitors, and inject malicious payloads into net periods.
The researcher confirmed by means of testing that TP-Hyperlink Archer AX10 and Archer AX1500 use susceptible CWMP binaries. Each are extremely common router fashions which are at the moment accessible on the market in a number of markets.
Mehrun additionally famous that EX141, Archer VR400, TD-W9970, and probably a number of different router fashions from TP-Hyperlink are doubtlessly affected.
Till TP-Hyperlink determines which units are susceptible and releases fixes for them, customers ought to change default admin passwords, disable CWMP if not wanted, and apply the most recent firmware replace for his or her gadget. If attainable, section the router from vital networks.
CISA warns of exploited TP-Hyperlink flaws
Yesterday, CISA added two different TP-Hyperlink flaws, tracked CVE-2023-50224 and CVE-2025-9377, to the Identified Exploited Vulnerability catalog that the Quad7 botnet has exploited to compromise routers.
CVE-2023-50224 is an authentication bypass flaw, and CVE-2025-9377 is a command injection flaw. When chained collectively, they permit risk actors to achieve distant code execution on susceptible TP-Hyperlink units.
Since 2023, the Quad7 botnet has been exploiting the issues to put in customized malware on routers that convert them into proxies and visitors relays.
Chinese language risk actors have been utilizing these compromised routers to proxy, or relay, malicious assaults whereas mixing in with authentic visitors to evade detection.
In 2024, Microsoft noticed risk actors utilizing the botnet to carry out password spray assaults on cloud companies and Microsoft 365, aiming to steal credentials.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
