CVE-2025-9961

HIGH

TP-Link AX10 and AX1500 CWMP - Man-in-the-Middle Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-9961. PoCs published by yt2w.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-9961, a stack-based buffer overflow in TP-Link AX10/AX1500 routers via CWMP (TR-069) on port 7547. The exploit uses ret2libc to achieve remote code execution, with ASLR bypass via brute force and support for DoS and RCE modes.

Description

An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500.  The exploit can only be conducted via a Man-In-The-Middle (MITM) attack.  This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.

Exploits (1)

nomisec WORKING POC 3 stars
by yt2w · poc
https://github.com/yt2w/CVE-2025-9961

This repository contains a functional exploit for CVE-2025-9961, a stack-based buffer overflow in TP-Link AX10/AX1500 routers via CWMP (TR-069) on port 7547. The exploit uses ret2libc to achieve remote code execution, with ASLR bypass via brute force and support for DoS and RCE modes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link AX10 < 1.2.1, AX1500 < 1.3.11
No auth needed
Prerequisites: Network access to port 7547 on the target device · CWMP service enabled on the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v4 8.6
EPSS 0.0982
EPSS Percentile 94.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-120
Status published
Products (2)
TP-Link Systems Inc./AX10 V1/V1.2/V2/V2.6/V3/V3.6 < 1.2.1
TP-Link Systems Inc./AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6 < 1.3.11
Published Sep 06, 2025
Tracked Since Feb 18, 2026