CVE-2025-9377 is an authenticated remote command execution vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection) affecting TP-Link Systems Inc. routers, specifically the Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 models. The vulnerability resides in the Parental Control web interface, where user-supplied input is not properly sanitized before being incorporated into OS-level commands. This flaw allows an attacker with valid credentials to execute arbitrary commands on the underlying operating system of the router remotely. The affected firmware versions are those prior to build 241108. Both products have reached end-of-life status, meaning official support and security updates are limited or unavailable, increasing exposure risk. The CVSS 4.0 base score is 8.6, indicating high severity, with attack vector being network-based, low attack complexity, no user interaction, but requiring high privileges (authenticated access). The vulnerability impacts confidentiality, integrity, and availability with high scope and impact. No public exploits have been reported yet, but the nature of the flaw suggests that once exploited, attackers could gain full control over the device, manipulate network traffic, intercept sensitive data, or launch further attacks within the network. The recommendation is to replace affected devices with newer, supported models or apply any available patches if replacement is not immediately possible.

For European organizations, this vulnerability poses significant risks, especially for those relying on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers in their network infrastructure. Successful exploitation could lead to full compromise of the router, enabling attackers to intercept or manipulate network traffic, disrupt internet connectivity, or pivot to internal systems. This could affect confidentiality of sensitive communications, integrity of data flows, and availability of network services. Given that these models are end-of-life, many organizations may not receive timely security updates, increasing the window of exposure. Critical sectors such as finance, healthcare, government, and telecommunications could face operational disruptions or data breaches. Additionally, the vulnerability could be leveraged for launching broader attacks such as distributed denial-of-service (DDoS) or lateral movement within corporate networks. The requirement for authentication limits the attack surface but insider threats or compromised credentials could still enable exploitation.

1. Immediate replacement of affected TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers with newer, supported models that receive regular security updates. 2. If replacement is not feasible in the short term, apply any available firmware patches or updates provided by TP-Link or trusted third parties to remediate the vulnerability. 3. Restrict access to the router’s management interface by limiting it to trusted internal networks and disabling remote management where possible. 4. Enforce strong authentication mechanisms and regularly update administrative credentials to reduce risk of credential compromise. 5. Monitor network traffic for unusual patterns indicative of exploitation attempts or command injection activity. 6. Segment critical network assets to minimize impact if a router is compromised. 7. Conduct regular security audits and vulnerability assessments focusing on network infrastructure devices. 8. Educate IT staff about the risks associated with end-of-life hardware and the importance of timely upgrades.