Back to KEVs

CVE-2025-9377

Authenticated RCE via Parental Control command injection

Basic Information

CVE State
PUBLISHED
Reserved Date
August 23, 2025
Published Date
August 29, 2025
Last Updated
February 26, 2026
Vendor
TP-Link Systems Inc.
Product
Archer C7(EU) V2, TL-WR841N/ND(MS) V9
Description
The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es).
Tags
cisa

CVSS Scores

CVSS v4.0

8.6 - HIGH

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:40:02 UTC) Source

References

https://www.tp-link.com/us/support/faq/4365/ https://www.tp-link.com/us/support/faq/4308/

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:40:02 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel