- TP-Link Patches Two Vulnerabilities In Older Soho-Routers
- Chinese threat actor Quad7 used the botnet for wide password-spraying attacks
- The shortcomings were serious enough to guarantee firmware updates, despite the routers being the end of life
TP-Link has patched two vulnerabilities that affect some of its small office/home office (Soho) routers, which were apparently used by Chinese actors to create a malicious botnet used to target Microsoft 365 accounts.
In a security advice, TP-Link said it was notified of two shortcomings: CVE-2025-50224 and CVE-2025-9377, which were bound together against Archer C7 and TL-WR841N/ND routers. The former is an authentication city pass vulnerability with an intermediate score (6.5/10), while the latter is a vulnerability with high difficulty performance (RCE) (RCE) with a score of 8.6/10.
The routers that were targeted reached their status of the end of life (EOL), which means they no longer have to receive security updates or patches. However, given the severity of the attacks, TP-Link still decided to issue a firmware update.
CISA’s warnings
The group utilizing these shortcomings is called Quad7 (AKA 7777), a Chinese threat actor who has also been linked to state-backed cyber-spyage campaigns.
In this case, the group used Botnet to carry out password spraying attacks against Microsoft 365 accounts. It does not appear to be targeted at any specific demographic, which means that everyone is equally at risk.
Malwarebytes Research said that some ISPs provide their customers with TP-Links routers and encourage users to double control which devices they run in their homes and offices.
“Several ISPs have used TP-Link Archer C7 and TL-WR841N/ND routers, sometimes redirecting them to distribution to customers, especially in Europe and North America,” it says. “For example, it is known that Dutch ISP Ziggo has redirected TP-Link Archer C7 as” Wifibooster Ziggo C7 “, which provides it with the customers with ziggo-specific firmware.”
At the same time, US cyber security and infrastructure security agency (CISA) also issued advisers for these deficiencies. One of the shortcomings -CVE -2025-9377 -was added to its known utilized vulnerabilities (KEV) catalog on Wednesday, August 3, giving FCEB agencies three weeks to use patch or replace hardware.
In fact, CISA recently added three TP-Link errors to Kev, Cyberinsides Reported, including CVE-2023-50224 (an authentication for the forgery of vulnerability) and CVE-2020-24363 (a factory reset and restart trigger via a TDDP_reset post-request).
Via Malwarebytes
