Worrying TP-Link router flaws could let botnets attack your Microsoft 365 accounts - so update now

News
By published

Chinese state-sponsored threat actors seen targeting old TP-Link routers

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
(Image credit: Getty Images)
  • TP-Link patches two vulnerabilities in older SOHO routers
  • Chinese threat actor Quad7 used the botnet for broad password-spraying attacks
  • The flaws were severe enough to warrant firmware updates, despite the routers being end-of-life

TP-Link has patched two vulnerabilities affecting some of its small office/home office (SOHO) routers, which were apparently used by Chinese actors to create a malicious botnet used to target Microsoft 365 accounts.

In a security advisory, TP-Link said it was notified of two flaws: CVE-2025-50224 and CVE-2025-9377, being chained together against Archer C7 and TL-WR841N/ND routers. The former is an authentication bypass vulnerability with a medium-severity score (6.5/10) while the latter is a high-severity remote command execution (RCE) vulnerability, with a score of 8.6/10.

The routers being targeted reached their end-of-life (EoL) status, meaning they should no longer be receiving security updates or patches. However, given the severity of the attacks, TP-Link still decided to issue a firmware update.

CISA's warnings

The group exploiting these flaws is called Quad7 (AKA 7777), a Chinese threat actor which has also been linked to state-sponsored cyber-espionage campaigns.

In this instance, the group used the botnet to perform password-spraying attacks against Microsoft 365 accounts. It doesn’t seem to be targeting any specific demographic, meaning everyone is equally at risk.

Malwarebytes research said some ISPs provide their customers with TP-Link’s routers, urging users to double-check which devices they’re running in their homes and offices.

“Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes rebranding them for distribution to customers, especially in Europe and North America,” it says. “For example, Dutch ISP Ziggo is known to have rebranded the TP-Link Archer C7 as the “Wifibooster Ziggo C7”, supplying it to customers with Ziggo-specific firmware.”

At the same time, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued advisories for these flaws. One of the flaws - CVE-2025-9377 - was added to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday, August 3, giving FCEB agencies three weeks to apply the patch or replace the hardware.

In fact, CISA recently added three TP-LINK flaws to KEV, CyberInsider reported, including CVE-2023-50224 (an authentication bypass by spoofing vulnerability), and CVE-2020-24363 (a factory reset and reboot trigger via a TDDP_RESET POST request).

Via Malwarebytes

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.