CVE-2025-9377

Authenticated RCE via Parental Control command injection

CVSS 8.6 HIGHEPSS 11.7%● KEVCWE-78

In short

An authenticated attacker can execute arbitrary commands on TP-Link routers (Archer C7(EU) V2 and TL-WR841N/ND(MS) V9) through a command injection flaw in the Parental Control page. This allows complete system compromise if an attacker gains access to the router's admin interface.

Technical detail

Command injection vulnerability in the Parental Control functionality allows authenticated users to inject and execute arbitrary OS commands via unsanitized input parameters. Attack requires valid administrative credentials and affects firmware versions before 241108; exploitation results in remote code execution with router privileges.

Summary generated and translated by AI from the official description.

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

TP-Link Systems Inc. · Archer C7(EU) V2 TP-Link Systems Inc. · TL-WR841N/ND(MS) V9

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-9377 https://www.tp-link.com/us/support/faq/4308/https://www.tp-link.com/us/support/faq/4365/