- TP-Link patches two vulnerabilities in older SOHO routers
- Chinese threat actor Quad7 used the botnet for broad password-spraying attacks
- The flaws were severe enough to warrant firmware updates, despite the routers being end-of-life
TP-Link has patched two vulnerabilities affecting some of its small office/home office (SOHO) routers, which were apparently used by Chinese actors to create a malicious botnet used to target Microsoft 365 accounts.
In a security advisory, TP-Link said it was notified of two flaws: CVE-2025-50224 and CVE-2025-9377, being chained together against Archer C7 and TL-WR841N/ND routers. The former is an authentication bypass vulnerability with a medium-severity score (6.5/10) while the latter is a high-severity remote command execution (RCE) vulnerability, with a score of 8.6/10.
The routers being targeted reached their end-of-life (EoL) status, meaning they should no longer be receiving security updates or patches. However, given the severity of the attacks, TP-Link still decided to issue a firmware update.
CISA’s warnings
The group exploiting these flaws is called Quad7 (AKA 7777), a Chinese threat actor which has also been linked to state-sponsored cyber-espionage campaigns.
In this instance, the group used the botnet to perform password-spraying attacks against Microsoft 365 accounts. It doesn’t seem to be targeting any specific demographic, meaning everyone is equally at risk.
Malwarebytes research said some ISPs provide their customers with TP-Link’s routers, urging users to double-check which devices they’re running in their homes and offices.
“Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes rebranding them for distribution to customers, especially in Europe and North America,” it says. “For example, Dutch ISP Ziggo is known to have rebranded the TP-Link Archer C7 as the “Wifibooster Ziggo C7”, supplying it to customers with Ziggo-specific firmware.”
At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued advisories for these flaws. One of the flaws – CVE-2025-9377 – was added to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday, August 3, giving FCEB agencies three weeks to apply the patch or replace the hardware.
In fact, CISA recently added three TP-LINK flaws to KEV, CyberInsider reported, including CVE-2023-50224 (an authentication bypass by spoofing vulnerability), and CVE-2020-24363 (a factory reset and reboot trigger via a TDDP_RESET POST request).
Via Malwarebytes