Critical Flaw Discovered in TP-Link Routers

Researchers from the ByteRay team have disclosed a critical vulnerability in TP-Link routers that enables remote execution of arbitrary code by bypassing Address Space Layout Randomization (ASLR). Tracked as CVE-2025-9961 (CVSS score: 8.6), the flaw was discovered in the CWMP (TR-069) service. Exploitation requires nothing more than a specially crafted SOAP request, granting attackers complete control over the affected device.

The issue stems from unrestricted stack writes during parameter handling within CWMP. By deploying a rogue ACS server, an attacker can send an oversized packet, overwrite the instruction pointer, and seize control of execution flow. Despite ASLR being enabled, brute-forcing base addresses combined with the ability to restart the service via the web interface allows reliable circumvention of this protection. The attack chain culminates in a ret2libc technique, invoking the system() function from the libc library. Ultimately, an ELF binary is loaded on the victim’s side, establishing a reverse TCP shell.

For proof of concept, the researchers developed their own Python-based ACS, since standard tools like GenieACS could not properly handle the required byte ranges. Their service executes three steps: initiating a TR-069 session and retrieving the CPE identifier, setting a cookie and delivering the SetParameterValues overflow, and then iterating through the address space while repeatedly restarting CWMP through the router’s control panel. The final payload leverages curl to fetch and launch a remote shell, thereby granting attackers network access to the compromised device.

ByteRay uncovered the vulnerability during experiments with firmware rollback, where an older bug (CVE-2023-1389) was exploited to load a susceptible version of CWMP. Security analysis with checksec revealed the absence of PIE and stack canaries, while NX and partial RELRO were active. ASLR provided only 9–10 bits of entropy for libc and the stack, rendering brute force feasible.

TP-Link has since released firmware updates addressing the flaw by introducing strict input length validation, full RELRO, and stack canaries. Administrators are strongly advised to patch devices without delay, disable remote ACS configuration if unused, enforce strong passwords for the web interface, and restrict TR-069 access to trusted networks.

The case of CVE-2025-9961 underscores that even embedded security mechanisms remain fragile when binary hardening is incomplete and input validation weak. Timely updates, layered defenses, and rigorous security controls continue to be the cornerstone of resilience against such threats.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy