- TP-Link corrects two vulnerabilities in the oldest Soho routers
- Chinese threat actor Quad7 used the botnet for large attacks that transform passwords
- The faults were serious enough to justify updates to the firmware, despite the fact that the routers are end of life
TP-Link has corrected two vulnerabilities affecting some of its small Office / Home Office (SOHO) routers, which have apparently been used by Chinese actors to create a malicious botnet used to target Microsoft 365 accounts.
In a security notice, TP-Link said he had been informed of two faults: CVE-2025-50224 and CVE-2025-9377, chained against the Archer C7 and TL-WR841N / ND routers. The first is a vulnerability of authentication bypass with an average score (6.5 / 10) while the second is a vulnerability of high severity remote control (RCE), with a score of 8.6 / 10.
The targeted routers have reached their end -of -life status (EOL), which means that they should no longer receive updates or safety fixes. However, given the severity of the attacks, TP-Link has always decided to make an update of the firmware.
CISA warnings
The group operating these faults is called Quad7 (AKA 7777), a Chinese threat actor who was also linked to cyber-spying campaigns sponsored by the state.
In this case, the group used the botnet to make attacks to transfer passwords against the Microsoft 365 accounts. It does not seem to target a specific demography, which means that everyone is also at risk.
Malwarebytes Research has said that some ISPs provide their customers with the TP-Link routers, urging users to dismiss the devices they perform in their homes and offices.
“Several ISPs have used the TP-Link Archer C7 and TL-WR841N / ND routers, sometimes sueing them for distribution to customers, especially in Europe and North America,” he said. “For example, the Dutch FOI Ziggo is known to have renamed the TP-Link Archer C7 as” Wifibooster Ziggo C7 “, providing it to customers with a specific firmware in Ziggo.”
At the same time, the American Cybersecurity and Infrastructure Safety Agency (CISA) also published opinions for these faults. One of the faults – CVE -2025-9377 – was added to its known catalog on the exploited vulnerabilities (KEV) on Wednesday August 3, giving the three -week FCEB agencies to apply the fix or replace the equipment.
In fact, Cisa recently added three TP-Link faults to Kev, Cyberinsider Reported, including CVE-2023-50224 (Authentication bypass by usurnerability of usurpation) and CVE-2010-24363 (a factory reset and a restarting trigger via a request for Post TDDP_REset).
Via Malwarebytes
