TP-Link Router End-of-Service Models Exploited in Botnet Operation

TP-Link Router End-of-Service Models Exploited in Quad7 Botnet Operation

Summary

Two critical TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, are being actively exploited by the Quad7 botnet (a.k.a. CovertNetwork-1658, xlogin). The botnet, associated with Chinese threat actor Storm-0940, leverages compromised routers to steal credentials and execute malicious code, enabling password spray and brute-force attacks against Microsoft 365 accounts globally.

Although TP-Link has issued patches, the affected routers—TL-WR841N/ND (MS) V9 and Archer C7 (EU) V2—are End-of-Service (EOS), leaving many still vulnerable. Exploitation requires that the router’s remote administration interface is exposed to the internet, which is disabled by default. Secure configurations and timely firmware updates are critical

Vulnerability Details

• CVE-2023-50224 (Authentication Bypass)

  • Affects TP-Link TL-WR841N.

  • CWE-290: Authentication Bypass by Spoofing.

  • Exploited to retrieve stored router credentials from /tmp/dropbear/dropbearpwd.

• CVE-2025-9377 (Command Injection)

  • Affects Archer C7 (EU) V2 and TL-WR841N/ND (MS) V9.

  • CWE-78: OS Command Injection.

  • Exploited via the Parental Control page (url_0 parameter) to achieve remote code execution.

Attack Chain: Credentials are stolen via CVE-2023-50224, then replayed against the router’s management interface. Once authenticated, CVE-2025-9377 is used to inject commands for full device compromise.

The compromised routers are then used as Socks5 proxies, relaying brute-force attempts against Microsoft 365 services. Since August 2023, these highly evasive password spray attacks have stolen multiple enterprise credentials. Storm-0940 and other Chinese groups reuse these stolen credentials for global intrusions

Recommendations

• Immediate Firmware Updates:

  • Install the latest patches: Archer C7 (EU) V2 Firmware, TL-WR841N(MS) V9 Firmware, TL-WR841ND(MS) V9 Firmware.

  • Verify hardware versions before upgrading to avoid damage.

• Router Configuration Hardening:

  • Disable Remote Management unless absolutely necessary.

  • Manage locally or via the TP-Link Tether App.

  • Regularly reset and update admin credentials.

• Replacement of End-of-Life Devices:

  • Upgrade to modern TP-Link routers with enhanced hardware security.

  • EOL devices will not receive long-term security support.

• Network Security Best Practices:

  • Segment IoT and business-critical devices onto separate networks.

  • Monitor for unusual traffic patterns that may indicate botnet participation.

  • Strengthen Microsoft 365 security with MFA and account monitoring

Indicators of Compromise (IoCs)

IPv4 Addresses

• 142[.]11[.]205[.]164

• 23[.]254[.]201[.]175

• 151[.]236[.]20[.]185

• 151[.]236[.]20[.]211

IPv4:Port

• 158[.]247[.]194[.]125[:]80

• 45[.]77[.]44[.]119[:]80

• 151[.]236[.]20[.]30[:]80

• 103[.]140[.]239[.]63[:]80

• 103[.]57[.]248[.]202[:]81

MD5 Samples

• 98d3764862b182417c910a96e0fbfe71

• c8e229bed1659f1613c1016b3345ef08

• 29e6df5bb30ed8fd12c09d9b6890ab4f

• 69ced04a2ec895084d3aab1086216d32

• 408152285671bbd0e6e63bd71d6abaaf

• f42849076e24b7827218f7a25bc11ccc

MITRE ATT&CK TTPs

• Initial Access: T1190 (Exploit Public-Facing Applications)

• Execution: T1203 (Exploitation for Client Execution), T1059 (Command & Scripting Interpreter)

• Persistence: TA0003 (Persistence)

• Defense Evasion: T1027 (Obfuscated Files), T1552 (Unsecured Credentials)

• Credential Access: T1110.003 (Password Spraying), T1552.001 (Credentials in Files)

• Discovery: T1087 (Account Discovery), T1046 (Network Service Discovery)

• Command & Control: T1090 (Proxy), T1071.001 (Web Protocols), T1571 (Non-Standard Port)

• Impact: T1496 (Resource Hijacking)

References

• CISA – Known Exploited Vulnerabilities Catalog

• Microsoft Security Blog – Storm-0940 Credential Abuse

• SEKOIA Blog – Quad7 Botnet Analysis

• TP-Link Firmware Download – TL-WR841N

• TP-Link FAQ – CVE-2025-9377