Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

OS Command Injection in TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 Parental Control page

IdentifiersCVE-2025-9377CWE-78· Improper Neutralization of Special…

CVE-2025-9377 is an authenticated OS command injection vulnerability in the Parental Control page of TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers. The issue affects Archer C7(EU) V2 firmware before 241108 and TL-WR841N/ND(MS) V9 firmware before 241108. Successful exploitation allows an authenticated remote attacker to inject operating-system commands via the web management interface, resulting in remote command execution on the device. The affected products are end-of-life, although TP-Link has referenced patch availability via support links and otherwise recommends replacement with newer products.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in remote code execution on the router with the privileges of the vulnerable management component, enabling full compromise of the device. A compromised router can be used to hijack home or small-business network traffic, alter device configuration, disable management services, stage additional malware or botnet payloads, proxy malicious traffic, and support follow-on attacks against downstream systems. The vulnerability has been reported as actively exploited and was added to CISA's Known Exploited Vulnerabilities catalog.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching or replacement is not possible, restrict access to the router management interface to trusted internal hosts only, disable remote administration from untrusted networks, segment the device from exposed management paths, and monitor for unauthorized configuration changes or suspicious process activity. Given the products' end-of-life status and active exploitation, mitigation should be treated only as a short-term measure pending patching or hardware replacement.

Remediation

Patch, then assume compromise.

Upgrade affected devices to firmware version 241108 or later, as applicable, using TP-Link-provided patches referenced in the vendor support materials. Because the affected Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 models are end-of-life, TP-Link also recommends replacing them with supported hardware to ensure ongoing security updates.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
TP-LinkArcher C7 Firmwareoperating_system
TP-LinkTl-Wr841n Firmwareoperating_system
TP-LinkTl-Wr841nd Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

35 SOURCESView more in app
techrepublic com securityNews
Mar 26, 2026
TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password

A TP-Link vulnerability referenced as added by CISA to its Known Exploited Vulnerabilities catalog.

Read more
security affairsNews
Mar 25, 2026
Patch now: TP-Link Archer NX routers vulnerable to firmware takeover

An OS command injection vulnerability affecting TP-Link Archer C7(EU) and TL-WR841N/ND(MS) devices.

Read more
bank info securityNews
Feb 18, 2026
Texas Sues TP-Link for Covering Up Chinese Manufacturing

A remote command execution vulnerability affecting end-of-life TP-Link routers, cited in the Texas attorney general’s lawsuit as evidence contradicting TP-Link’s security marketing claims.

Read more
govinfosecurityNews
Feb 18, 2026
Texas Sues TP-Link for Covering Up Chinese Manufacturing

A remote command execution vulnerability affecting end-of-life TP-Link routers.

Read more
+7 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity24

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-9377
NVD
nvd.nist.gov/vuln/detail/CVE-2025-9377
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Vendor Advisory
tp-link.com/us/support/faq/4365
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-9377
Product
tp-link.com/us/support/faq/4308