CVE-2025-9377 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-08-29

Added to CISA KEV: 2025-09-03 5 DAYS BETWEEN CVE AND KEV

⚠️ CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity before patching
CRITICAL: Replace EOL routers immediately as no patches will be provided
If replacement not possible, disable remote management and WAN access to admin interface
Monitor network traffic for unusual router behavior and botnet communication patterns
Change default credentials and enable strongest available authentication

Here's what is known about the CVE-2025-9377 vulnerability exploitation:

Affected Applications/Services: The vulnerability affects TP-Link Archer C7 (EU) V2 and TL-WR841N/ND (MS) routers, which are internet-facing devices ^[1]^[2].

Active Exploitation: CISA has confirmed active exploitation of CVE-2025-9377 in the wild and has added it to its Known Exploited Vulnerabilities (KEV) catalog ^[3]^[4].

Attack Vectors and Exploitation Methods: It is an authenticated remote command execution (RCE) vulnerability found in the Parental Control page ^[1]^[5]. Exploitation allows attackers to execute arbitrary commands remotely, gaining control over the affected device ^[1]^[5].

Targeted Attacks: While actively exploited, the provided information does not explicitly confirm its use in *targeted* attacks ^[2], though it is associated with botnet activity ^[5].

CISA KEV Status: CVE-2025-9377 is listed in the CISA KEV catalog, with a deadline for remediation by September 24, 2025 ^[3].

Technical Details (Internet Exploitability): The vulnerability has a network attack vector and requires high privileges (authentication) for exploitation ^[6].

CVE-2025-9377 - CVE Details & Analysis | SOCRadar Labs CVE Radar
Description CVE-2025-9377 is an authenticated remote command execution (RCE) vulnerability affecting the Parental Control page of TP-Link Archer C7 (EU) V2 and TL-WR841N/ND (MS) V9 routers. Successful exploitation allows an attacker to execute arbitrary commands remotely, gaining control over the af…
CVE-2025-9377 Detail - NVD
Description. The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 ...
CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025 ...
CISA flags TP-Link flaws CVE-2023-50224 and CVE-2025-9377 as exploited, urging fixes by Sept 24, 2025.
CISA Warns: TP-Link Vulnerabilities Under Active Exploitation
CISA has issued an urgent warning regarding critical vulnerabilities in popular TP-Link router that are currently being actively exploited.
TP-Link warns of botnet infecting routers and targeting Microsoft 365 ...
CVE-2025-50224 is a vulnerability that allows an attacker to steal passwords from the router and CVE-2025-9377 is a known Parental Control ...

🔴 CVE-2025-9377