Global fix for TP-Link zero-day imminent

TP-Link has announced the upcoming international release of a fix for zero-day flaw affecting numerous router models after developing a patch for European models, reports BleepingComputer.

Exploitation of the stack-based buffer overflow issue within TP-Link routers' CPE WAN Management Protocol, which stems from the absence of 'strncpy' call bounds checking, could facilitate remote code execution and the subsequent deployment of illicit payloads, according to independent security researcher Mehrun, also known as ByteRay, who discovered and reported the vulnerability.

"Our technical team is also reviewing the reported findings in detail to confirm device exposure criteria and deployment conditions, including whether CWMP is enabled by default. We strongly encourage all users to keep their devices updated with the latest firmware as it becomes available via our official support channels," said TP-Link.

Such a development follows the inclusion of a pair of TP-Link bugs, tracked CVE-2023-50224 and CVE-2025-9377, in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.