CVE-2025-9961

HIGH

AX10/AX1500 <1.2.1/<1.3.11 - RCE

Title source: llm

Description

An authenticated attacker may remotely execute arbitrary code via the CWMP binary on the devices AX10 and AX1500. The exploit can only be conducted via a Man-In-The-Middle (MITM) attack. This issue affects AX10 V1/V1.2/V2/V2.6/V3/V3.6: before 1.2.1; AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6: before 1.3.11.

Exploits (1)

nomisec WORKING POC 3 stars

by yt2w · poc

https://github.com/yt2w/CVE-2025-9961

View Code ZIP pw:eip

References (4)

[Various Sources] https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679

[Various Sources] https://www.tp-link.com/us/support/download/archer-ax10/

[Various Sources] https://www.tp-link.com/us/support/download/archer-ax1500/

[Various Sources] https://www.tp-link.com/us/support/faq/4647/

Scores

CVSS v4 8.6

EPSS 0.0023

EPSS Percentile 45.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-120

Status published

Products (2)

TP-Link Systems Inc./AX10 V1/V1.2/V2/V2.6/V3/V3.6 < 1.2.1

TP-Link Systems Inc./AX1500 V1/V1.20/V1.26/V1.60/V1.80/V2.60/V3.6 < 1.3.11

Published Sep 06, 2025

Tracked Since Feb 18, 2026