The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding two critical security flaws found in several TP-Link wireless router models. These vulnerabilities, identified as CVE-2023-50224 and CVE-2025-9377, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, a definitive list of flaws with documented evidence of in-the-wild exploitation. This inclusion serves as a strong signal to federal agencies and the public that these issues are not theoretical but represent a clear and present danger to network security. The move highlights the escalating threat landscape where even vulnerabilities in older, unsupported devices are being actively weaponized by malicious actors.
The two vulnerabilities present different, but equally serious, risks. CVE-2023-50224 is an authentication bypass vulnerability affecting the TP-Link TL-WR841N router. By exploiting this flaw, an attacker could bypass authentication to gain access to the device’s internal systems, potentially exposing stored credentials. This could serve as a stepping stone for further compromise, allowing an attacker to move laterally within a network. The second vulnerability, CVE-2025-9377, is a more severe operating system command injection flaw impacting the TP-Link Archer C7 V2 and TL-WR841N/ND V9. This vulnerability could lead to remote code execution (RCE), giving an attacker complete control over the compromised router.
Despite the gravity of these vulnerabilities, many of the affected devices, including the TL-WR841N (versions 10.0, 11.0), TL-WR841ND (version 10.0), and Archer C7 (versions 2.0, 3.0), have been designated as End-of-Life (EoL) by TP-Link. This means they are no longer actively supported and, in most cases, would not receive security patches. However, due to the confirmed active exploitation, TP-Link has taken the unusual step of releasing firmware updates for these EoL products in November 2024. The company’s advisory stresses that while these updates provide a temporary fix, customers should upgrade to newer hardware for long-term security.
The exploitation activity linked to these vulnerabilities is not random. TP-Link’s advisory explicitly ties the in-the-wild exploitation to a botnet known as Quad7 (also called CovertNetwork-1658). This botnet is believed to be operated by a China-linked threat actor group, codenamed Storm-0940. This group is known for conducting highly evasive password spray attacks, and the exploitation of these router vulnerabilities provides them with a foothold to expand their malicious operations. The lack of public reports detailing the exploitation activity suggests the attacks are likely highly targeted and stealthy, making CISA’s proactive warning even more critical.
This latest advisory from CISA follows a similar warning issued just a day earlier concerning another TP-Link vulnerability, CVE-2020-24363, affecting the TL-WA855RE Wi-Fi Ranger Extender. The repeated addition of TP-Link vulnerabilities to the KEV catalog underscores a broader trend where legacy networking equipment, often left unpatched, becomes a prime target for nation-state actors and organized cybercriminals. CISA has given Federal Civilian Executive Branch (FCEB) agencies a deadline of September 24, 2025, to apply the necessary mitigations, highlighting the urgency of the situation and the potential for widespread impact if these flaws are left unaddressed.
Reference: