Skip to main content
CVE Vulnerability Database

CVE-2025-9961: TP-Link AX10/AX1500 CWMP RCE Vulnerability

CVE-2025-9961 is a remote code execution vulnerability in TP-Link AX10 and AX1500 routers affecting the CWMP binary. Authenticated attackers can exploit this via MITM attacks to execute arbitrary code remotely. Discover technical details, affected versions, impact analysis, and mitigation strategies.

Published:

CVE-2025-9961 Overview

CVE-2025-9961 is a stack-based buffer overflow [CWE-120] in the CWMP (CPE WAN Management Protocol, TR-069) binary on TP-Link Archer AX10 and AX1500 wireless routers. An authenticated attacker positioned to perform a Man-In-The-Middle (MITM) attack between the router and its Auto Configuration Server can deliver a crafted CWMP response that overflows a fixed-size buffer and achieves arbitrary code execution on the device. The flaw affects AX10 versions before 1.2.1 and AX1500 versions before 1.3.11. Successful exploitation yields control over the router, exposing all traffic traversing the device.

Critical Impact

Remote code execution on consumer and small-office routers enables traffic interception, DNS hijacking, lateral movement into the LAN, and persistent botnet enrollment.

Affected Products

  • TP-Link Archer AX10 hardware revisions V1, V1.2, V2, V2.6, V3, and V3.6 running firmware earlier than 1.2.1
  • TP-Link Archer AX1500 hardware revisions V1, V1.20, V1.26, V1.60, V1.80, V2.60, and V3.6 running firmware earlier than 1.3.11
  • Deployments that retain CWMP/TR-069 remote management enabled

Discovery Timeline

  • 2025-09-06 - CVE-2025-9961 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9961

Vulnerability Analysis

The defect lives in the router's CWMP client, which speaks TR-069 to a remote Auto Configuration Server (ACS). The client parses SOAP/XML responses from the ACS and copies attacker-influenced values into a fixed-size stack buffer without verifying the source length. A sufficiently long field overruns the buffer, overwrites the saved return address, and redirects execution into attacker-controlled data. Because the CWMP daemon runs with elevated privileges on the embedded Linux system, code executed through this path gains broad control over the router. ByteRay's research identifies the issue as an automated-discovery finding in the CWMP stack of TP-Link routers, classified as a stack overflow under CWE-120: Buffer Copy without Checking Size of Input.

Root Cause

The CWMP binary uses unbounded string copy operations when handling ACS-supplied parameters. No length validation is enforced before the destination buffer on the stack is populated, allowing the saved frame pointer and return address to be overwritten. Refer to the ByteRay Zero-Day Alert for the disassembly and overflow primitive.

Attack Vector

Exploitation requires two preconditions. First, the attacker must hold valid credentials or otherwise be authenticated to the router context that initiates the CWMP session. Second, the attacker must occupy a network position that intercepts traffic between the router and its configured ACS. From that vantage point, the attacker forges or rewrites SOAP responses, embedding an overlong field that triggers the overflow when parsed by the CWMP client. The MITM requirement constrains exploitation to ISP backhaul compromise, hostile WAN-side networks, or DNS/BGP redirection that reroutes ACS traffic.

Detection Methods for CVE-2025-9961

Indicators of Compromise

  • Unexpected outbound CWMP/TR-069 sessions on TCP 7547 to hosts other than the legitimate ACS
  • Router crashes, repeated CWMP process restarts, or watchdog reboots logged around suspicious ACS sessions
  • DNS responses on the LAN resolving to attacker-controlled infrastructure after a router reboot
  • New listening services, modified iptables rules, or altered administrator credentials following ACS interactions

Detection Strategies

  • Inspect WAN-side traffic for TR-069 sessions and validate that the destination matches the ISP-provisioned ACS fully qualified domain name
  • Alert on TLS-stripped or plaintext CWMP exchanges where the ACS endpoint deviates from a known allowlist
  • Correlate router syslog CWMP errors with deviations in egress traffic patterns and DNS resolver changes

Monitoring Recommendations

  • Forward router and gateway syslog to a centralized analytics platform and retain CWMP session metadata
  • Baseline expected ACS endpoints per device model and trigger on first-seen ACS hostnames or IPs
  • Track firmware versions across the fleet so that hosts running AX10 below 1.2.1 or AX1500 below 1.3.11 are flagged for remediation

How to Mitigate CVE-2025-9961

Immediate Actions Required

Patch Information

TP-Link addresses the stack overflow in Archer AX10 firmware 1.2.1 and Archer AX1500 firmware 1.3.11. The patched CWMP binary enforces bounds checking on ACS-supplied parameters before copying them into stack buffers. Apply the firmware update through the router web UI under System Tools > Firmware Upgrade or via the offline image provided on the TP-Link support portal.

Workarounds

  • Disable CWMP/TR-069 in the router administration panel when the ISP does not require remote provisioning
  • Restrict the CWMP inform URL to a hardcoded HTTPS endpoint and pin the ACS certificate where the firmware allows it
  • Segment management traffic from untrusted WAN paths and block inbound TCP 7547 from networks outside the ISP
  • Restrict administrative access to the LAN interface and disable remote management until the patch is applied

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.