Full Report
TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks. [...]
Analysis Summary
# Vulnerability: TP-Link CWMP Stack Overflow (Zero-Day)
## CVE Details
- CVE ID: Not yet assigned
- CVSS Score: Not specified (Implied High/Critical due to RCE)
- CWE: CWE-121: Stack-based Buffer Overflow
## Affected Systems
- Products: TP-Link Routers (Specific models pending full TP-Link confirmation)
- Versions: Unknown, but impacts firmware processing CWMP stack overflow vulnerability.
- Configurations: Vulnerable when CWMP (CPE WAN Management Protocol) is enabled.
- Testing confirmed vulnerability on TP-Link Archer AX10 and Archer AX1500.
- Potentially affected: EX141, Archer VR400, TD-W9970, and others.
## Vulnerability Description
A critical stack-based buffer overflow vulnerability exists within the CWMP implementation of several TP-Link router models. The flaw resides in a function handling `SetParameterValues` SOAP messages. It is caused by a lack of proper bounds checking in `strncpy` calls. An attacker can trigger this flaw by sending an oversized SOAP payload to a vulnerable device (e.g., via a malicious CWMP server), potentially leading to Remote Code Execution (RCE) when the stack buffer size is exceeded (> 3072 bytes).
## Exploitation
- Status: Zero-day (Confirmed discovered and reported, exploitation status against this specific new flaw is undetermined but highly likely given the researcher's context).
- Complexity: Medium (Requires redirection to a malicious CWMP server or access via default credentials).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (RCE allows eavesdropping, DNS redirection, traffic manipulation)
- Integrity: High (RCE allows silent interception or manipulation of unencrypted traffic and injection of malicious payloads)
- Availability: Medium (Potential for device compromise and Denial of Service)
## Remediation
### Patches
- Patch confirmed developed for **European models**.
- Work is underway to develop and expedite fixes for **U.S. and global firmware versions**. (No ETA provided).
### Workarounds
1. Change default administrator passwords immediately.
2. Disable CWMP (CPE WAN Management Protocol) if it is not required for operation.
3. Apply the latest official firmware update as soon as it becomes available.
4. If possible, segment the router from critical internal networks (network isolation).
## Detection
- Indicators of Compromise: Rerouted DNS queries, silent manipulation of unencrypted traffic, unexpected network behavior emanating from the router.
- Detection methods and tools: Monitoring for unusual outbound connections originating from the router management interface or unexpected CWMP traffic patterns.
## References
- Researcher Report: blog[.]byteray[.]co[.]uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679
- CISA Alert (for context on other exploited TP-Link flaws): cisa[.]gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
---
*Note: This summary focuses on the newly reported zero-day. The article also mentions two other exploited TP-Link flaws tracked as CVE-2023-50224 (Authentication Bypass) and CVE-2025-9377 (Command Injection), which were chained by the Quad7 botnet.*