【⚠️ TP-Link Confirms Botnet Vulnerability on Older Routers】

TP-Link has confirmed that older SOHO routers are being exploited by the Quad 7 (7777) botnet, also tracked as CovertNetwork-1658, to carry out password spray attacks on Microsoft 365 accounts.

【 Vulnerabilities Used】
→ CVE-2023-50224: Unauthenticated file disclosure, allowing credential theft.
→ CVE-2025-9377: Command injection exploit via Parental Control page, enabling remote code execution (RCE).

【 Affected Models】
→ TL-WR841N/ND(MS) 9.0 – Firmware version 3.16.9 Build 150320 Rel.57500n
→ Archer C7(EU) 2.0 – Firmware version 3.15.3 Build 180305 Rel.51282n

Both models are already End of Life (EOL) but TP-Link has released patched firmware updates to secure devices still in use.

【 Key Note】
The exploit chain only works if remote administration is enabled to the internet—a feature disabled by default. TP-Link advises all users not to expose the admin interface online.

【✅ TP-Link Response】
→ Released patched firmware for impacted models.
→ Working with researchers to track ongoing botnet activity.
→ Monitoring for other potentially vulnerable devices.

Users are strongly advised to update their firmware and disable unnecessary remote access.