Unpatched Vulnerability Found in TP-Link Routers

Red Dog Security

08 Sep 2025 — 1 min read

TP-Link has confirmed a previously unknown zero-day vulnerability affecting several of its router models. The company said it is investigating the issue and preparing security updates.

Discovery and Technical Details

The flaw was discovered by an independent researcher using the alias ByteRay, who first reported it to TP-Link on May 11, 2024.

Although the vulnerability has not yet been assigned a CVE identifier, ByteRay describes it as a stack buffer overflow in TP-Link’s implementation of the CPE WAN Management Protocol (CWMP). The bug stems from insufficient bounds checking in strncpy calls that process SOAP SetParameterValues messages. If the stack buffer size exceeds 3,072 bytes, a buffer overflow can occur, potentially allowing remote code execution.

The researcher noted that attackers could exploit the issue by redirecting vulnerable devices to a malicious CWMP server and delivering an oversized SOAP payload to trigger the overflow.

Potential Impact

If exploited, the flaw could give attackers significant control over affected routers. Possible consequences include:

Redirecting DNS requests to malicious servers
Intercepting or altering unencrypted internet traffic
Injecting malicious data into web sessions

Affected Devices

During testing, ByteRay confirmed the vulnerability in the TP-Link Archer AX10 and Archer AX1500. He also suggested it may affect the EX141, Archer VR400, TD-W9970, and potentially other TP-Link models that use similar CWMP binaries.

TP-Link’s Response

A TP-Link spokesperson told BleepingComputer that the company is reviewing the researcher’s findings to determine the scope of affected devices and the conditions under which the flaw can be exploited, including whether CWMP is enabled by default.

The company said a patch has already been developed for certain European router models, and work is underway on firmware updates for the U.S. and other regions. No specific release dates have been provided.

“Our technical team is thoroughly reviewing the researcher’s findings to confirm the impact criteria for devices and the conditions for exploitation,” TP-Link stated.

The s1ngularity Attack Affected 2,180 GitHub Accounts

Specialists from Wiz have published new details on the recent s1ngularity attack targeting the open-source build system NX. The incident exposed data from 2,180 GitHub accounts and compromised more than 7,200 repositories, making it one of the largest supply chain breaches seen this year. What Is NX? NX

iCloud Calendar Is Being Exploited to Send Phishing Emails from Apple’s Servers

Invitations sent through iCloud Calendar are being weaponized to deliver phishing emails disguised as purchase notifications—sent directly from Apple’s own mail servers. This tactic significantly increases the chances of bypassing spam filters. A Familiar Scam with a New Twist According to Bleeping Computer, a reader recently shared a

Hacked npm Packages Downloaded More Than 2.6 Billion Times Weekly

Researchers are warning of what may be the largest supply chain attack in history. Attackers injected malware into several of the most widely used npm packages—collectively downloaded more than 2.6 billion times each week. The breach was made possible when hackers compromised a maintainer’s account through a

Google May Make AI Mode in Search Available by Default

Google is preparing to give users more control over its AI-powered search experience by allowing “AI mode” to be set as the default—potentially replacing traditional link-based results. What AI Mode Does AI mode is a version of Google Search that uses large language models (LLMs) to generate summaries of