CVE-2025-9961 is a buffer overflow vulnerability classified under CWE-120 affecting TP-Link Systems Inc. AX10 and AX1500 router models across multiple firmware versions before 1.2.1 and 1.3.11 respectively. The flaw exists in the CWMP (CPE WAN Management Protocol) binary, which handles remote management communications. The vulnerability arises from a failure to properly check the size of input data before copying it into a buffer, enabling a classic buffer overflow scenario. An attacker who is authenticated on the device can exploit this vulnerability remotely to execute arbitrary code, potentially gaining control over the device. However, exploitation requires the attacker to be positioned as a Man-In-The-Middle (MITM) to intercept and manipulate the CWMP traffic. No user interaction or elevated privileges beyond authentication are needed, but the attacker must already have authenticated access to the device. The vulnerability affects multiple hardware versions of AX10 (V1 through V3.6) and AX1500 (V1 through V3.6) routers. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits or active exploitation have been reported yet. This vulnerability poses a significant risk to the security of affected devices, potentially allowing attackers to compromise network infrastructure and intercept or manipulate traffic.

The exploitation of CVE-2025-9961 can lead to complete compromise of affected TP-Link AX10 and AX1500 routers. Attackers could execute arbitrary code remotely, potentially installing persistent malware, intercepting or redirecting network traffic, or disrupting network availability. This threatens confidentiality by exposing sensitive data traversing the device, integrity by allowing manipulation of network communications, and availability by enabling denial-of-service conditions. Organizations relying on these routers for home or small office networks may face network breaches, data exfiltration, or service outages. The requirement for MITM positioning limits exploitation to attackers with network access or control, but this is feasible in many environments such as public Wi-Fi, compromised internal networks, or via malicious insiders. The vulnerability's broad impact on core network devices makes it a critical concern for enterprises, service providers, and consumers using these models worldwide.

1. Immediately update affected TP-Link AX10 and AX1500 devices to the latest firmware versions (1.2.1 or later for AX10 and 1.3.11 or later for AX1500) once available from the vendor. 2. Restrict access to the CWMP management interface to trusted networks only, ideally isolating management traffic from general user networks. 3. Employ network segmentation and strong access controls to prevent unauthorized access and reduce the risk of MITM attacks. 4. Use encrypted management protocols and VPNs to protect management traffic from interception or manipulation. 5. Monitor network traffic for unusual CWMP activity or signs of MITM attacks, such as unexpected certificate changes or anomalous packet flows. 6. Disable remote management features if not required to minimize the attack surface. 7. Educate users and administrators about the risks of connecting to untrusted networks where MITM attacks are more likely. 8. Implement strong authentication mechanisms and regularly audit device credentials to prevent unauthorized access.