CVE-2025-9377
Published: 29 August 2025
Summary
CVE-2025-9377 is a high-severity OS Command Injection (CWE-78) vulnerability in Tp-Link Tl-Wr841N Firmware. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-9377 is an authenticated remote command execution vulnerability caused by improper neutralization of special elements used in an OS command (CWE-78). It resides in the Parental Control page of the TP-Link Archer C7(EU) V2 firmware prior to version 241108 and the TL-WR841N/ND(MS) V9 firmware prior to version 241108; both devices have reached end-of-life status.
An attacker with administrative credentials can send crafted requests over the network to the Parental Control interface and execute arbitrary commands on the device, resulting in full compromise of confidentiality, integrity, and availability without user interaction.
TP-Link advisories direct owners to apply the 241108 firmware patches available via the vendor’s support pages or to replace the devices with newer models, noting that both products are EOL. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog.
EPSS scores reached a peak of 0.3086 and currently stand at 0.2691, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26234
Vulnerability details
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status…
more
of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
- CWE(s)
- KEV Date Added
- 03 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated OS command injection (CWE-78) on the web management interface of an internet-facing router directly enables remote exploitation of a public-facing application and arbitrary Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the known authenticated RCE flaw through patching the vulnerable firmware or replacing EOL devices.
Prohibits the use of unsupported EOL system components like the affected TP-Link routers, eliminating exposure to unpatchable vulnerabilities.
Enforces validation of user inputs to the Parental Control page, preventing command injection (CWE-78) exploitation even with administrative privileges.