CVE-2025-9377

Authenticated RCE via Parental Control command injection

Description

The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).

References

Link	Tags
https://www.tp-link.com/us/support/faq/4365/	vendor advisory
https://www.tp-link.com/us/support/faq/4308/	vendor advisory patch

Frequently Asked Questions

What is the severity of CVE-2025-9377?: CVE-2025-9377 has been scored as a high severity vulnerability.
How to fix CVE-2025-9377?: To fix CVE-2025-9377, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-9377 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2025-9377 is being actively exploited.
What software or system is affected by CVE-2025-9377?: CVE-2025-9377 affects TP-Link Systems Inc. Archer C7(EU) V2, TP-Link Systems Inc. TL-WR841N/ND(MS) V9.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Category

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References

Frequently Asked Questions