CISA Warns: Actively Exploited TP-Link Router Flaws Added to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added two TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgent need for network administrators and home users alike to take immediate action. Both flaws—one involving authentication bypass and the other remote code execution—are confirmed to be under active exploitation.

The first vulnerability, CVE-2023-50224 (CVSS 6.5), affects the popular TP-Link TL-WR841N router. The flaw stems from improper authentication in the router’s httpd service, which listens on TCP port 80.

This weakness allows network-adjacent attackers to disclose sensitive information without authentication, including stored credentials. Once exposed, these credentials can serve as a gateway to deeper compromise of the device and connected systems.

TP-Link has issued a firmware update to address the flaw, available through its official support page.

The second vulnerability, CVE-2025-9377 (CVSSv4 8.6), poses a more severe risk. It impacts the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers, enabling authenticated attackers to perform remote command execution (RCE).

Affected firmware versions include:

• Archer C7(EU) V2: before 241108
• TL-WR841N/ND(MS) V9: before 241108

Both devices are now end-of-life (EOL), meaning they no longer receive long-term support. TP-Link strongly recommends replacing them with newer models for better performance and security. For those unable to immediately upgrade, patched firmware is available for Archer C7(EU) V2, TL-WR841N(MS) V9, and TL-WR841ND(MS) V9.

TP-Link further advises users to:

• Reboot and restore the router to refresh access to the local management webpage.
• Avoid remote management in favor of TP-Link’s official Tether mobile application.

In line with CISA’s directive, Federal Civilian Executive Branch (FCEB) agencies must remediate the vulnerabilities by September 24, 2025.

Related Posts:

• CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
• Linux Kernel 6.13 Reaches End-of-Life After Short 3-Month Support
• CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
• D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits