CVE-2025-9961 is a high-severity buffer overflow vulnerability (CWE-120) found in TP-Link Systems Inc. AX10 and AX1500 series routers across multiple hardware versions (AX10 V1 through V3.6 and AX1500 V1 through V3.6). The vulnerability exists in the CWMP (CPE WAN Management Protocol) binary component of these devices. Specifically, the flaw arises from a classic buffer copy operation without proper input size validation, which can lead to a buffer overflow condition. An authenticated attacker can exploit this vulnerability remotely to execute arbitrary code on the affected device. However, exploitation requires a Man-In-The-Middle (MITM) attack vector, meaning the attacker must intercept and manipulate network traffic between the management server and the device. The vulnerability affects firmware versions prior to 1.2.1 for AX10 and prior to 1.3.11 for AX1500. The CVSS v4.0 base score is 8.6 (high), reflecting the network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. Given the nature of CWMP, which is often used for remote device management by ISPs or administrators, this vulnerability could allow attackers to gain persistent control over the device, potentially leading to network compromise, interception of traffic, or pivoting attacks within the network infrastructure.

For European organizations, this vulnerability poses a significant risk, especially for enterprises, ISPs, and managed service providers that deploy TP-Link AX10 and AX1500 routers in their networks. Successful exploitation could lead to full compromise of the affected routers, enabling attackers to intercept sensitive communications, disrupt network availability, or use the compromised devices as footholds for further lateral movement. This is particularly critical for organizations handling sensitive personal data under GDPR, as unauthorized access or data interception could lead to regulatory penalties and reputational damage. Additionally, critical infrastructure operators and government agencies using these devices may face operational disruptions or espionage risks. The requirement for a MITM attack raises the bar for exploitation but does not eliminate risk, especially in environments where network segmentation is weak or where attackers have insider access or can compromise upstream network devices. The absence of known exploits in the wild currently reduces immediate threat but the high CVSS score and the potential for remote code execution warrant urgent attention.

European organizations should take proactive and specific steps beyond generic patching advice: 1) Immediately inventory all TP-Link AX10 and AX1500 devices across all sites to identify affected hardware versions and firmware levels. 2) Engage with TP-Link or authorized vendors to obtain and deploy firmware updates as soon as they become available, prioritizing devices exposed to untrusted networks. 3) Implement network-level protections to prevent MITM attacks, such as enforcing strong encryption and authentication on management traffic (e.g., using VPN tunnels or IPsec for CWMP communication). 4) Restrict access to device management interfaces strictly to trusted IP addresses and networks, ideally isolating management traffic on separate VLANs or out-of-band management networks. 5) Monitor network traffic for unusual patterns indicative of MITM or exploitation attempts, including unexpected CWMP traffic or anomalous device behavior. 6) Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting CWMP anomalies or known buffer overflow exploit attempts. 7) Educate network administrators on the risks of this vulnerability and the importance of secure device management practices. 8) Prepare incident response plans specifically addressing potential router compromise scenarios to minimize impact if exploitation occurs.