Researchers have uncovered a zero-day vulnerability in TP-Link routers that allows attackers to bypass Address Space Layout Randomization (ASLR) and execute arbitrary code remotely.
Tracked as CVE-2025-9961, this flaw resides in the CWMP (TR-069) binary and can be triggered through malformed SOAP requests, granting full control of affected devices.
A detailed technical walkthrough of discovery, exploitation, and remediation follows, along with a concise summary of the vulnerability’s impact and prerequisites.
CVE Details and Impact
The vulnerability stems from an unchecked stack-based buffer overflow in the CWMP parameter-setting routine.
By delivering a carefully crafted payload via a custom ACS server, attackers can overwrite the program counter and hijack execution flow.
Despite ASLR being active, brute-forcing the base address space yields reliable exploitation when combined with automated service restarts via the web UI.
A ret2libc approach leveraging libc’s system() function ultimately spawns a reverse shell on the victim network.
| CVE ID | Affected Product | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-9961 | TP-Link CWMP service | Remote Code Execution | Valid router web UI credentials, custom ACS server, brute-forcing ASLR | 9.8 |
Discovery and PoC Development
ByteRay’s team first identified CVE-2025-9961 during firmware downgrade experiments, leveraging an earlier command injection flaw (CVE-2023-1389) to load a vulnerable CWMP version.
Using checksec, they confirmed the binary lacked PIE and stack canaries, though NX and partial RELRO were enabled and ASLR provided 9- to 10-bit entropy on libc and stack respectively.
Initial PoCs via GenieACS failed to preserve non-printable bytes, prompting the creation of a bespoke Python-based ACS that fully transmits the payload byte range.
The custom ACS performs three steps:
- Initiate a TR-069 session and retrieve the device’s CPE identifier.
- Establish session cookies and send a SetParameterValues request containing the overflow payload.
- Brute-force the randomized base address, handling CWMP crashes by restarting the service through the router’s web panel.
A ret2libc chain loads a reverse shell payload hosted on a simple HTTP server. Key gadgets and function pointers are calculated dynamically to avoid null bytes.
The final payload invokes curl to fetch and execute a malicious ELF shell binary, resulting in a reverse TCP connection to the attacker.
TP-Link has released firmware updates addressing CVE-2025-9961 by adding input length checks and enabling full RELRO and stack canaries.
Administrators should upgrade immediately and disable remote ACS configuration unless explicitly required. Enforcing strong credentials on the web UI and restricting TR-069 access to trusted networks further reduces exposure.
CVE-2025-9961 highlights the severe risks posed by flawed management protocols and insufficient binary hardening.
Timely patching and defense-in-depth measures remain critical to safeguarding network infrastructure against advanced exploitation techniques.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
