- TP-LINK Patch two vulnerabilities in older soho routors
- Chinese threat actor Quad7 used the botnet for wide password attacks
- The defects were serious enough to guarantee firmware updates, although the routers were at the end of life
TP-Link has paved two vulnerabilities that affect some of its small office/office routers (Soho), which were apparently used by Chinese actors to create a malicious botnet used to aim at Microsoft 365 accounts.
In a security notice, TP-Link said that it was notified of two failures: CVE-2025-50224 and CVE-2025-9377, chained against the Archer C7 and TL-WR841N/ND. The first is a vulnerability of authentication derivation with an average severity score (6.5/10), while the second is a vulnerability of execution of remote commands (RCE) of high severity, with a score of 8.6/10.
The attacked routers reached their end of life (EOL), which means that they should no longer receive updates or security patches. However, given the severity of the attacks, TP-Link still decided to issue a firmware update.
CISA warnings
The group that exploits these defects is called Quad7 (also known as 7777), a Chinese threat actor who has also been related to cybernetic amateur campaigns sponsored by the State.
In this case, the group used the botnet to perform password spray attacks against Microsoft 365 accounts. It does not seem to be aimed at any specific demographic group, which means that everyone is equally at risk.
Malwarebytes The investigation said that some ISP provides their customers from TP-Link routors, urging users to verify that the devices they execute are executing in their homes and offices.
“Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes changing distribution to customers, especially in Europe and North America,” he says. “For example, it is known that the Dutch ISP Ziggo renamed the TP-Link Archer C7 as the” Wifibooster Ziggo C7 “, which provides customers with a specific Ziggo firmware.”
At the same time, the United States Cybersecurity and Infrastructure Security Agency (CISA) also issued notices for these defects. One of the defects, CVE -2025-9377, was added to its catalog of exploited vulnerabilities (KEV) known on Wednesday, August 3, giving FCEB agencies three weeks to apply the patch or replace the hardware.
In fact, CISA recently added three TP link faults to Kev, Cyberinsidic Informed, including CVE-2023-50224 (a derivation of authentication through the vulnerability of falsehood) and CVE-2020-24363 (a factory restart and a reset activator through a subsequent application to TDDP_RESET).
Through Malwarebytes
