CVE-2025-9377 is a high-severity vulnerability classified under CWE-78, which pertains to improper neutralization of special elements used in OS commands, commonly known as OS Command Injection. This vulnerability affects TP-Link Systems Inc.'s Archer C7(EU) V2 and TL-WR841N/ND(MS) V9 routers, specifically in the Parental Control page functionality. The flaw allows an authenticated attacker with high privileges to remotely execute arbitrary OS commands on the affected devices without requiring user interaction. The vulnerability exists due to insufficient sanitization of user-supplied input in the web interface, enabling command injection. Both affected models have reached end-of-life status, meaning they no longer receive regular security updates, increasing the risk for users who continue to deploy these devices. The CVSS 4.0 base score of 8.6 reflects the critical nature of this vulnerability, highlighting its network attack vector, low attack complexity, no need for user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the critical impact make it a significant threat. The lack of official patches and the recommendation to replace the devices underscore the severity and the challenge in mitigating this vulnerability on legacy hardware.

For European organizations, this vulnerability poses a substantial risk, especially for small and medium enterprises or home office setups that rely on TP-Link Archer C7(EU) V2 or TL-WR841N/ND(MS) V9 routers. Successful exploitation could lead to complete compromise of the affected router, allowing attackers to intercept, manipulate, or disrupt network traffic, deploy malware, or pivot to internal networks. This could result in data breaches, service outages, and unauthorized access to sensitive information. Given the high prevalence of TP-Link devices in European consumer and SMB markets, the potential for widespread impact exists. The fact that these devices are EOL means organizations may not receive vendor support or patches, increasing exposure. Additionally, the Parental Control feature is often accessible via the router’s web interface, which may be exposed to internal or even external networks, depending on configuration, further increasing risk. The vulnerability could also be leveraged in supply chain attacks or targeted espionage campaigns against European entities, especially those with less mature cybersecurity postures.

Given the end-of-life status of the affected devices, the primary mitigation is to replace the vulnerable routers with newer, supported models that receive regular security updates. If immediate replacement is not feasible, organizations should apply any available unofficial patches or firmware updates referenced by trusted security advisories. Network segmentation should be enforced to isolate vulnerable devices from critical infrastructure. Access to the router’s management interface should be restricted to trusted internal networks only, disabling remote management where possible. Strong authentication mechanisms should be enforced to prevent unauthorized access, and monitoring for unusual network activity or command execution attempts should be implemented. Additionally, organizations should conduct regular audits of network devices to identify and remediate legacy hardware. Employing network intrusion detection systems (NIDS) with signatures for command injection attempts on router management interfaces can provide early warning. Finally, educating users about the risks of outdated hardware and encouraging timely upgrades is essential.