Cyber Resilience

CVE-2025-9377

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 29 August 2025

Published
29 August 2025
Modified
03 November 2025
KEV Added
03 September 2025
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2691 96.5th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9377 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-9377 is an authenticated remote command execution vulnerability caused by improper neutralization of special elements used in an OS command (CWE-78). It resides in the Parental Control page of the TP-Link Archer C7(EU) V2 firmware prior to version 241108 and the TL-WR841N/ND(MS) V9 firmware prior to version 241108; both devices have reached end-of-life status.

An attacker with administrative credentials can send crafted requests over the network to the Parental Control interface and execute arbitrary commands on the device, resulting in full compromise of confidentiality, integrity, and availability without user interaction.

TP-Link advisories direct owners to apply the 241108 firmware patches available via the vendor’s support pages or to replace the devices with newer models, noting that both products are EOL. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog.

EPSS scores reached a peak of 0.3086 and currently stand at 0.2691, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status…

more

of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).

CWE(s)
KEV Date Added
03 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated OS command injection (CWE-78) on the web management interface of an internet-facing router directly enables remote exploitation of a public-facing application and arbitrary Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22225Same vendor: Tp-Link
CVE-2026-0654Same vendor: Tp-Link
CVE-2026-30818Same vendor: Tp-Link
CVE-2026-0630Same vendor: Tp-Link
CVE-2024-57357Same vendor: Tp-Link
CVE-2026-3227Same product: Tp-Link Tl-Wr841N
CVE-2026-0652Same vendor: Tp-Link
CVE-2026-22227Same vendor: Tp-Link
CVE-2024-40890Shared CWE-78both on KEV
CVE-2025-58034Shared CWE-78both on KEV

Affected Assets

tp-link
tl-wr841n firmware
≤ 241108
tp-link
tl-wr841nd firmware
≤ 241108
tp-link
archer c7 firmware
≤ 241108

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the known authenticated RCE flaw through patching the vulnerable firmware or replacing EOL devices.

prevent

Prohibits the use of unsupported EOL system components like the affected TP-Link routers, eliminating exposure to unpatchable vulnerabilities.

prevent

Enforces validation of user inputs to the Parental Control page, preventing command injection (CWE-78) exploitation even with administrative privileges.

References