CVE-2025-9377 is a high-severity vulnerability classified under CWE-78, which pertains to improper neutralization of special elements used in OS commands, commonly known as OS Command Injection. This vulnerability affects TP-Link Systems Inc.'s Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers, specifically in the Parental Control page functionality. The flaw allows an authenticated attacker with high privileges to remotely execute arbitrary OS commands on the affected device without requiring user interaction. The vulnerability arises because the input fields on the Parental Control page do not properly sanitize or neutralize special characters or command elements, enabling injection of malicious commands that the underlying operating system executes. The affected firmware versions are those released before build 241108, and both products have reached end-of-life status, meaning they no longer receive official support or security updates. The CVSS 4.0 base score is 8.6, indicating a high severity level, with attack vector being network-based (remote), low attack complexity, no user interaction, and requiring high privileges (authenticated access). The vulnerability impacts confidentiality, integrity, and availability of the device and potentially the network it protects, as attackers could gain control over the router, intercept or manipulate traffic, or disrupt network services. No known exploits are currently reported in the wild, but the risk remains significant due to the nature of the vulnerability and the widespread use of these devices in home and small office environments.

For European organizations, especially small and medium enterprises (SMEs) and home office users relying on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers, this vulnerability poses a substantial risk. Compromise of these routers could lead to unauthorized network access, interception of sensitive communications, and lateral movement within internal networks. Given the routers' role as gateways, attackers could deploy persistent backdoors, manipulate DNS settings to redirect traffic to malicious sites, or launch further attacks against connected devices. The fact that these devices are EOL means organizations may not receive official patches, increasing exposure. In sectors with strict data protection regulations such as GDPR, a breach resulting from this vulnerability could lead to significant compliance and reputational consequences. Additionally, critical infrastructure or organizations with remote workers using these devices could face operational disruptions or espionage risks.

1. Immediate replacement of affected devices with newer, supported models is strongly recommended to ensure ongoing security and performance improvements. 2. If replacement is not feasible in the short term, organizations should seek and apply any available unofficial patches or firmware updates from trusted sources, even though official support has ended. 3. Restrict administrative access to the router’s management interface to trusted internal networks only, disabling remote management where possible. 4. Enforce strong authentication mechanisms and change default credentials to prevent unauthorized access. 5. Monitor network traffic for unusual patterns that may indicate exploitation attempts, such as unexpected outbound connections or command execution indicators. 6. Segment networks to isolate critical assets from devices using vulnerable routers. 7. Educate users about the risks of using unsupported hardware and encourage timely hardware lifecycle management. 8. Implement network-level protections such as intrusion detection/prevention systems (IDS/IPS) to detect and block exploitation attempts targeting router management interfaces.