Do you have a TP-Link router? Congratulations, hackers have gained root access to your network
The scale of the problem could affect tens of thousands of devices.
The scale of the problem could affect tens of thousands of devices.
Researchers from the ByteRay team have reported a critical vulnerability in TP-Link routers that allows for remote code execution by bypassing the Address Space Layout Randomization (ASLR) protection mechanism. The flaw, assigned the identifier CVE-2025-9961 (CVSS score: 8.6), was discovered in the CWMP (TR-069) service. Exploitation simply requires sending a specially crafted SOAP request, which gives attackers full control over the device.
The issue is related to an unbounded stack write vulnerability when processing parameters in CWMP. Using their own ACS server, an attacker can send an overflowed packet, overwrite the execution pointer, and hijack the instruction flow. Despite ASLR being enabled, brute-forcing base addresses combined with the ability to restart the service via the web interface reliably bypasses the protection. The attack vector is completed using a ret2libc technique, which leverages the system() function from the libc library. Ultimately, an ELF binary is loaded on the victim's side, creating a reverse TCP connection.
To prove the concept, the researchers developed their own ACS in Python, as standard tools like GenieACS could not correctly transmit the byte range. Their service performs three steps: it initiates a TR-069 session and obtains the CPE identifier, sets a cookie and sends a SetParameterValues request with the overflow, and then brute-forces the address space by restarting the CWMP service through the router's admin panel. The final payload uses curl to download and execute a remote shell, providing remote access to the victim's network.
ByteRay stumbled upon this vulnerability during experiments with firmware rollback, where an older flaw, CVE-2023-1389, was used to load a vulnerable version of CWMP. Analysis with the checksec utility revealed the absence of PIE and stack canary protection, while NX and partial RELRO were enabled. ASLR provided entropy of only 9-10 bits for libc and the stack, making brute-forcing practically feasible.
TP-Link has already released firmware updates that fix the vulnerability by adding checks for input data length and enabling full RELRO protection and stack canaries. Administrators are strongly advised to update their devices, disable remote ACS configuration if it's not used, apply strong passwords for the web interface, and restrict TR-069 access to trusted networks. The case of CVE-2025-9961 demonstrates that even built-in protection mechanisms remain vulnerable with insufficient binary hardening and weak input control, and that timely updates and a multi-layered defense remain key security measures.
