CVE-2025-9377

What is the TP-Link Archer C7 and TL-WR841N?

The TP-Link Archer C7 and TL-WR841N/ND are consumer wireless routers widely deployed in homes and small offices. The Parental Control feature in these routers allows administrators to block access to specific websites by domain name or keyword for controlled devices. The routers' web management interfaces expose configuration functionality via CGI endpoints that run as root on the embedded Linux system.

Consumer routers represent a persistent attack surface: large numbers of devices deployed long past end-of-support, often with unchanged default credentials, internet-accessible management interfaces (via UPnP or port forwarding), and no automatic update mechanism.

Overview

CVE-2025-9377 is an OS command injection vulnerability (CWE-78) in the Parental Control configuration page of TP-Link Archer C7(EU) and TL-WR841N/ND(MS) routers. An authenticated attacker with administrative credentials can inject shell metacharacters into Parental Control parameters, achieving arbitrary OS command execution as root on the router's underlying Linux system. Both products are end-of-life/end-of-service; TP-Link released a final patch (firmware 241108, November 2024) and CISA recommends discontinuing use of these devices.

Affected Versions

Note: These products are end-of-life. TP-Link released the November 2024 firmware as a final security patch. No further updates will be released.

Technical Details

The OS command injection (CWE-78) is in the router's web management interface, specifically in the Parental Control configuration page. Parameters submitted through the Parental Control form (such as domain names or MAC address fields) are passed without sufficient sanitization to a shell command executed on the router's Linux system. By injecting shell metacharacters (e.g., ;, |, $()), an authenticated admin user can cause the router to execute arbitrary commands with root privileges.

Attack prerequisites:

• Administrative access to the router's web management page (requires admin credentials)
• Admin credentials are commonly unchanged from factory defaults (admin/admin or blank password) on consumer routers
• Many routers expose their management interface to the internet via UPnP or port forwarding rules set by the user or ISP

Post-exploitation impact:

• Full root access to the router's Linux system
• Network traffic interception and manipulation
• DNS hijacking for downstream phishing attacks
• Botnet recruitment (Mirai and similar IoT botnets actively target routers)
• Lateral movement to connected internal network devices

Discovery

Not publicly attributed.

Exploitation Context

Active exploitation was confirmed before the September 3, 2025 CISA KEV listing. Consumer router exploitation at scale is typically associated with botnet operators (Mirai variants, Volt Typhoon SOHO compromise campaigns) that leverage default credentials combined with command injection to recruit routers as botnet nodes or network proxies. The EOL status means many deployed devices will never receive the November 2024 patch.

Remediation

1. Discontinue use — CISA's primary recommendation for EOL devices. Replace the Archer C7(EU) and TL-WR841N/ND(MS) with a current-generation router from a vendor with an active security update program.
2. If immediate replacement is not possible: Apply firmware 241108 (the final November 2024 patch), change the admin password from the default, and disable remote management access.
3. Disable UPnP on the router — this prevents the management interface from being automatically exposed to the internet.
4. Block WAN access to the router's management port (HTTP/HTTPS, typically port 80/443 or 8080) via the router's own firewall rules or a perimeter firewall.
5. Audit your network for other EOL networking equipment — routers, switches, IP cameras — that will never receive security patches.