A new zero-day vulnerability has surfaced in multiple TP-Link router models, putting millions of users worldwide at potential risk. Independent security researcher Mehrun (ByteRay) discovered the flaw in May 2024, and although TP-Link has confirmed the issue, a global fix is still pending. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning as other TP-Link vulnerabilities are actively exploited in ongoing cyberattacks.
TP-Link acknowledged that it is still investigating exposure levels and device impact, with a patch already available for certain European router models. However, no clear timeline exists for firmware updates covering the U.S. and other global markets. The company urged customers to regularly update their devices, monitor firmware updates via official channels, and apply basic hardening measures such as disabling unnecessary services and changing default admin credentials.
At the heart of this zero-day lies a stack-based buffer overflow in TP-Link’s CWMP (CPE WAN Management Protocol) implementation. This flaw occurs because of unsafe strncpy function calls, which fail to enforce proper bounds checking. If exploited, attackers can craft a malicious SOAP SetParameterValues request that exceeds 3072 bytes, ultimately achieving remote code execution (RCE) on the router.
Once compromised, attackers could reroute DNS queries, intercept unencrypted traffic, or inject malicious payloads into web browsing sessions. Researchers confirmed that TP-Link Archer AX10 and AX1500 are vulnerable, with other models like EX141, VR400, and TD-W9970 also suspected to be impacted. This makes the threat significant, as these models remain widely available in consumer markets.
Security experts emphasize that the attack chain is realistic and dangerous. Adversaries could exploit outdated firmware or leverage default login credentials to redirect traffic to a malicious CWMP server, delivering the crafted payload to trigger the buffer overflow. Such attacks highlight why router security is critical, given that compromised devices can be turned into botnet nodes or proxies for cybercrime operations.
CISA further intensified the warning by adding two previously disclosed TP-Link flaws—CVE-2023-50224 (authentication bypass) and CVE-2025-9377 (command injection)—to its Known Exploited Vulnerabilities (KEV) catalog. Both have been weaponized by the Quad7 botnet, a large-scale malware network linked to Chinese threat actors. This botnet hijacks vulnerable routers to carry out password spraying attacks on cloud services, including Microsoft 365, stealing sensitive user credentials and blending malicious traffic with legitimate requests.
Until patches are available, users should disable CWMP if not required, change all default passwords, and isolate routers from sensitive network segments. These steps, while temporary, can significantly reduce the attack surface.
Conclusion
The discovery of this TP-Link zero-day highlights the growing risks of router-based exploits. With CISA confirming active attacks on existing TP-Link vulnerabilities, the urgency for prompt patching, firmware updates, and proactive device hardening cannot be overstated. As routers remain a cornerstone of digital connectivity, ensuring their security is paramount to protecting both individual users and enterprise networks
