By zerosday cve bot•September 3, 2025•
cves
CVE-2025-9377: TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability (Pentest Lab Guide)
CVE-2025-9377: Technical Deep-Dive (Auto Refreshed)
Generated on 2026-03-23T21:42:42.709Z. This file is automatically regenerated every 30 minutes by the CVE AI enrichment job using web sources (NVD, MITRE, CISA KEV, GitHub).
Executive Technical Summary
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
- Context preserved from previous revision: The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es). Notes: 渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms
Technical Details
- CVE: CVE-2025-9377
- KEV date added: 2025-09-03
- KEV due date: 2025-09-24
- NVD published: 2025-08-29
- NVD modified: 2025-11-03
- MITRE modified: 2026-02-26
- CVSS base score: 7.2
- CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CVSS exploitability score: 1.2
- CVSS impact score: 5.9
- Attack vector: Network
- Attack complexity: Low
- Privileges required: High
- User interaction: None
- Scope: Unchanged
- Confidentiality impact: High
- Integrity impact: High
- Availability impact: High
Versions and Products Impacted
- tp-link / tl-wr841n firmware (versions: < 241108)
- tp-link / tl-wr841nd firmware (versions: < 241108)
- tp-link / archer c7 firmware (versions: < 241108)
- TP-Link Systems Inc. / Archer C7(EU) V2 (versions: 0)
- TP-Link Systems Inc. / TL-WR841N/ND(MS) V9 (versions: 0)
Weakness Classification
- CWE-78
Repositories for Lab Validation (Public Examples)
- Mr-xn/Penetration_Testing_POC | stars: 7278 | updated: 2026-03-23 | https://github.com/Mr-xn/Penetration_Testing_POC
Notes: 渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms - Ostorlab/KEV | stars: 608 | updated: 2026-03-23 | https://github.com/Ostorlab/KEV
Notes: Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs. - Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell | stars: 0 | updated: 2025-09-24 | https://github.com/Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell
- CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend | stars: 0 | updated: 2025-08-13 | https://github.com/CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend
People and Organizations Mentioned
- TPLink
- TP-Link
- Multiple Routers
- Mr-xn
- Ostorlab
- Michaael01
- CyprianAtsyor
Practical Defensive Validation (Authorized Only)
- Use only isolated environments and systems you own or are explicitly authorized to test.
- Snapshot infrastructure before validation and preserve baseline logs (EDR, SIEM, OS, app).
- Use tp-link / tl-wr841n firmware (versions: < 241108) in isolated VM snapshots (vulnerable vs patched) and compare process tree telemetry before/after updates.
- Validate command-execution prevention policies (AppLocker/WDAC/EDR) with harmless test binaries only.
- Create SIEM detections for suspicious parent-child chains, encoded command usage, and abnormal service creation.
References
- NVD record: https://nvd.nist.gov/vuln/detail/CVE-2025-9377
- MITRE CVE record: https://www.cve.org/CVERecord?id=CVE-2025-9377
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CISA KEV JSON feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- KEV notes: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-9377
- https://www.tp-link.com/us/support/faq/4308/
- https://www.tp-link.com/us/support/faq/4365/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-9377
- Repository example: https://github.com/Mr-xn/Penetration_Testing_POC
- Repository example: https://github.com/Ostorlab/KEV
- Repository example: https://github.com/Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell
- Repository example: https://github.com/CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend
This content is for defensive security training and authorized validation only.