TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts
TP-Link警告称其部分SOHO路由器存在漏洞,被用于组建僵尸网络攻击Microsoft 365账户。受影响型号包括Archer C7和TL-WR841N/ND,尽管已到生命周期末期,仍发布固件更新修复问题。建议用户及时更新固件并采取安全措施防范风险。 2025-9-4 10:50:16 Author: www.malwarebytes.com(查看原文) 阅读量:8 收藏

TP-Link logo

TP-Link has issued a warning about a botnet exploiting two vulnerabilities to infect small office/home (SOHO) routers, which are then weaponized to attack Microsoft 365 accounts. 

The vulnerabilities affect the Archer C7 and TL-WR841N/ND routers, though other models may also be at risk. Despite the fact that these routers have reached end-of-life (EOL), TP-Link has nonetheless released firmware updates to address the flaws.

If you have a router issued by your internet service provider (ISP) this also deserves checking. Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes rebranding them for distribution to customers, especially in Europe and North America. For example, Dutch ISP Ziggo is known to have rebranded the TP-Link Archer C7 as the “Wifibooster Ziggo C7”, supplying it to customers with Ziggo-specific firmware.

The two vulnerabilities, tracked as CVE-2025-50224 and CVE-2025-9377, are chained to add a router to a botnet. CVE-2025-50224 is a vulnerability that allows an attacker to steal passwords from the router and CVE-2025-9377 is a known Parental Control command injection RCE exploit, allowing the attacker to run their code on the router.

The botnet, called Quad7 (aka 7777) uses the infected routers to perform password-spraying attacks against Microsoft 365 accounts. Password spraying literally means trying common passwords across many accounts or using many common passwords against the same account.

Last year, Microsoft warned about the same botnet but the specific vulnerabilities were unknown at the time. Detection remains difficult for defenders, as the botnet uses thousands of IP addresses from home users and small businesses. TP-Link urges owners of these router models to install the updated firmware or switch to a fully supported router. The company is also investigating reports that other models might be vulnerable. Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has also issued advisories for these two flaws.

It is rare that a manufacturer would issue a firmware update for a EOL product, which emphasizes the importance of deploying that update. Being a part of a botnet is not just a danger to others, it can considerably slow down your home device(s).

  • Check if your router is an Archer C7 or TL-WR841N/ND, or another older TP-Link model. If so, update your firmware immediately with the version provided by TP-Link.
  • If firmware updates are no longer provided or your router is out of support, strongly consider upgrading to a supported model.
  • Change your router’s admin password to a strong, unique value, meaning you should avoid reusing passwords from other accounts.
  • Disable remote management features unless absolutely necessary and always check that parental control pages are only accessible by authenticated users.

Recommendations for Microsoft 365 users

Since the botnet is used at this moment in time to take over Microsoft 365 accounts, there are a few things you can do to make this a lot harder.

Staying ahead of threats like botnets means keeping devices patched, using strong authentication practices, and remaining alert for updates on device security. Don’t wait until your router—or your Microsoft 365 account—becomes part of someone else’s attack toolkit.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.


文章来源: https://www.malwarebytes.com/blog/news/2025/09/tp-link-warns-of-botnet-infecting-routers-and-targeting-microsoft-365-accounts
如有侵权请联系:admin#unsafe.sh