Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-9961

Summary
Assigner-TPLink
Assigner Org ID-f23511db-6c3e-4e32-a477-6aa17d310630
Published At-06 Sep, 2025 | 06:50
Updated At-26 Feb, 2026 | 17:49
Rejected At-
Credits

Authenticated RCE by CWMP binary

An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.  The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.  This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:TPLink
Assigner Org ID:f23511db-6c3e-4e32-a477-6aa17d310630
Published At:06 Sep, 2025 | 06:50
Updated At:26 Feb, 2026 | 17:49
Rejected At:
▼CVE Numbering Authority (CNA)
Authenticated RCE by CWMP binary

An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.  The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.  This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.

Affected Products
Vendor
TP-Link Systems Inc.
Product
AX10 V1/V1.2/V2/V2.6/V3/V3.6
Default Status
unaffected
Versions
Affected
  • From 0 before 1.2.1 (custom)
Vendor
TP-Link Systems Inc.
Product
AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6
Default Status
unaffected
Versions
Affected
  • From 0 before 1.3.11 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-120CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Type: CWE
CWE ID: CWE-120
Description: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Metrics
VersionBase scoreBase severityVector
4.08.6HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679
N/A
https://www.tp-link.com/us/support/faq/4647/
vendor-advisory
https://www.tp-link.com/us/support/download/archer-ax10/
patch
https://www.tp-link.com/us/support/download/archer-ax1500/
patch
Hyperlink: https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679
Resource: N/A
Hyperlink: https://www.tp-link.com/us/support/faq/4647/
Resource:
vendor-advisory
Hyperlink: https://www.tp-link.com/us/support/download/archer-ax10/
Resource:
patch
Hyperlink: https://www.tp-link.com/us/support/download/archer-ax1500/
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:f23511db-6c3e-4e32-a477-6aa17d310630
Published At:06 Sep, 2025 | 07:15
Updated At:08 Sep, 2025 | 16:25

An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.  The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.  This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.6HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-120Secondaryf23511db-6c3e-4e32-a477-6aa17d310630
CWE ID: CWE-120
Type: Secondary
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679f23511db-6c3e-4e32-a477-6aa17d310630
N/A
https://www.tp-link.com/us/support/download/archer-ax10/f23511db-6c3e-4e32-a477-6aa17d310630
N/A
https://www.tp-link.com/us/support/download/archer-ax1500/f23511db-6c3e-4e32-a477-6aa17d310630
N/A
https://www.tp-link.com/us/support/faq/4647/f23511db-6c3e-4e32-a477-6aa17d310630
N/A
Hyperlink: https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Resource: N/A
Hyperlink: https://www.tp-link.com/us/support/download/archer-ax10/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Resource: N/A
Hyperlink: https://www.tp-link.com/us/support/download/archer-ax1500/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Resource: N/A
Hyperlink: https://www.tp-link.com/us/support/faq/4647/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2025-9377
Matching Score-8
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-8
Assigner-TP-Link Systems Inc.
CVSS Score-8.6||HIGH
EPSS-15.60% / 94.59%
||
7 Day CHG~0.00%
Published-29 Aug, 2025 | 17:30
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-09-24||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Authenticated RCE via Parental Control command injection

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-tl-wr841n_firmwaretl-wr841narcher_c7_firmwaretl-wr841nd_firmwarearcher_c7tl-wr841ndTL-WR841N/ND(MS) V9Archer C7(EU) V2Multiple Routers
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-6541
Matching Score-8
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-8
Assigner-TP-Link Systems Inc.
CVSS Score-8.6||HIGH
EPSS-0.09% / 25.94%
||
7 Day CHG~0.00%
Published-21 Oct, 2025 | 00:21
Updated-24 Oct, 2025 | 13:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS command injection using information obtained from the web management interface

An arbitrary OS command may be executed on the product by the user who can log in to the web management interface.

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-er7212pcer7412-m2_firmwarefr205_firmwarefr365_firmwareer8411_firmwareer7412-m2er706w_firmwareg36_firmwareer7212pc_firmwarefr307-m2er706wer8411er706w-4ger605_firmwarefr365er707-m2er7206fr205er706w-4g_firmwarefr307-m2_firmwareer7206_firmwareg611er605g611_firmwareg36er707-m2_firmwareOmada Pro gatewaysFesta gatewaysOmada gateways
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-8065
Matching Score-6
Assigner-TP-Link Systems Inc.
ShareView Details
Matching Score-6
Assigner-TP-Link Systems Inc.
CVSS Score-7.1||HIGH
EPSS-0.02% / 6.19%
||
7 Day CHG~0.00%
Published-20 Dec, 2025 | 00:41
Updated-08 Jan, 2026 | 19:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buffer Overflow in ONVIF XML Parser on Tapo C200

A buffer overflow vulnerability exists in the ONVIF XML parser of Tapo C200 V3. An unauthenticated attacker on the same local network segment can send specially crafted SOAP XML requests, causing memory overflow and device crash, resulting in denial-of-service (DoS).

Action-Not Available
Vendor-TP-Link Systems Inc.TP-Link Systems Inc.
Product-tapo_c200_firmwaretapo_c200Tapo C200 V3
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2025-40815
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.6||HIGH
EPSS-0.06% / 18.14%
||
7 Day CHG~0.00%
Published-11 Nov, 2025 | 20:20
Updated-12 Nov, 2025 | 18:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA2) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA2) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA2) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA2) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA2) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA2) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA2) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA2) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA2) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA2) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA2) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA2) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA2) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA2) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA2) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA2) (All versions). Affected devices do not properly validate the structure of TCP packets in several methods. This could allow an attacker to cause buffer overflows, get control over the instruction counter and run custom code.

Action-Not Available
Vendor-Siemens AG
Product-LOGO! 24CESIPLUS LOGO! 12/24RCESIPLUS LOGO! 12/24RCEoSIPLUS LOGO! 230RCEoLOGO! 12/24RCEoLOGO! 24RCESIPLUS LOGO! 24RCEoSIPLUS LOGO! 24RCELOGO! 230RCEoSIPLUS LOGO! 24CEoLOGO! 12/24RCELOGO! 24RCEoLOGO! 24CEoLOGO! 230RCESIPLUS LOGO! 230RCESIPLUS LOGO! 24CE
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Details not found