Active exploitation of TP-Link TL-WA855RE Wi-Fi range extender vulnerability
Summary
Hide โฒ
Show โผ
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a missing authentication vulnerability in TP-Link TL-WA855RE Wi-Fi range extender products. The flaw, tracked as CVE-2020-24363, allows attackers on the same network to send unauthenticated requests for a factory reset and reboot, potentially gaining administrative access. The vulnerability was disclosed in August 2020 and has been resolved by TP-Link in firmware updates. However, the product is now discontinued, and users are advised to discontinue its use. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it by September 23, 2025. On September 4, 2025, CISA added two additional TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its KEV catalog, noting evidence of active exploitation. These vulnerabilities affect multiple TP-Link router models, some of which have reached end-of-life status. TP-Link released firmware updates in November 2024 to address these issues, but recommends upgrading to newer hardware for enhanced protection.
Timeline
-
04.09.2025 13:03 ๐ฐ 1 articles
CISA adds additional TP-Link router vulnerabilities to KEV catalog
On September 4, 2025, CISA added two additional TP-Link router vulnerabilities, CVE-2023-50224 and CVE-2025-9377, to its KEV catalog, noting evidence of active exploitation. These vulnerabilities affect multiple TP-Link router models, some of which have reached end-of-life status. TP-Link released firmware updates in November 2024 to address these issues, but recommends upgrading to newer hardware for enhanced protection. The affected models include TL-WR841N (versions 10.0 and 11.0), TL-WR841ND (version 10.0), and Archer C7 (versions 2.0 and 3.0). The exploitation activity is linked to the Quad7 botnet, associated with a China-linked threat actor known as Storm-0940, which conducts highly evasive password spray attacks. Federal agencies are urged to apply necessary mitigations by September 24, 2025.
Show sources
- CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited โ thehackernews.com โ 04.09.2025 13:03
-
03.09.2025 21:56 ๐ฐ 2 articles
CISA warns of active exploitation of TP-Link TL-WA855RE vulnerability
On September 3, 2025, CISA issued a warning about active exploitation of CVE-2020-24363 in TP-Link TL-WA855RE Wi-Fi range extenders. The vulnerability allows attackers to send unauthenticated requests for a factory reset and reboot, potentially gaining administrative access. The flaw was disclosed in August 2020 and resolved by TP-Link in firmware updates. However, the product is now discontinued, and users are advised to discontinue its use. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it by September 23, 2025.
Show sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
- CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited โ thehackernews.com โ 04.09.2025 13:03
Information Snippets
-
The vulnerability, CVE-2020-24363, has a CVSS score of 8.8 and allows attackers to send unauthenticated requests for a factory reset and reboot.
First reported: 03.09.2025 21:56๐ฐ 1 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
-
The flaw was disclosed in August 2020 by malwrforensics, noting that attackers could bypass authentication mechanisms.
First reported: 03.09.2025 21:56๐ฐ 1 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
-
TP-Link resolved the vulnerability in firmware release (EU)_V5_200731 and has since released several other updates.
First reported: 03.09.2025 21:56๐ฐ 1 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
-
The TL-WA855RE extender is now marked as discontinued on TP-Linkโs website.
First reported: 03.09.2025 21:56๐ฐ 1 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
-
CISA added CVE-2020-24363 to its Known Exploited Vulnerabilities (KEV) catalog on September 3, 2025.
First reported: 03.09.2025 21:56๐ฐ 2 sources, 2 articlesShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
- CISA Flags TP-Link Router Flaws CVE-2023-50224 and CVE-2025-9377 as Actively Exploited โ thehackernews.com โ 04.09.2025 13:03
-
Proof-of-concept (PoC) exploit code targeting the vulnerability has been publicly available since July 2020.
First reported: 03.09.2025 21:56๐ฐ 1 source, 1 articleShow sources
- US Cybersecurity Agency Flags Wi-Fi Range Extender Vulnerability Under Active Attack โ www.securityweek.com โ 03.09.2025 21:56
Similar Happenings
Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations
The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.
Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.
Google Patches Two Zero-Day Vulnerabilities Under Active Exploitation in Android
Google released September 2025 Android security updates addressing 111 vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities allow privilege escalation without user interaction. The patches include fixes for remote code execution, information disclosure, and denial-of-service issues across various components. The updates are part of Google's monthly security bulletin, with two patch levels released to provide flexibility for Android partners. The vulnerabilities were discovered by Benoรฎt Sevens of Google's Threat Analysis Group (TAG).
Exploit chain in Sitecore Experience Platform enables remote code execution
Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt
AI-Driven Exploit Generation Reduces Time to Proof-of-Concept to 15 Minutes
A new AI-powered system, Auto Exploit, developed by Israeli researchers, generates proof-of-concept exploits for vulnerabilities in open-source software in under 15 minutes. The system uses large language models (LLMs) to analyze CVE advisories and patches, creating exploits for 14 vulnerabilities. This development highlights the potential for rapid, automated exploit creation, significantly reducing the time defenders have to respond to new vulnerabilities. The system leverages Anthropic's Claude-sonnet-4.0 model to analyze advisories and code patches, generating exploit code and validating it against vulnerable and patched applications. The researchers emphasize that this capability could be used by both financially motivated attackers and nation-state actors, increasing the risk of N-day exploits. The ease of bypassing LLM guardrails and the low cost of generating exploits underscore the need for defenders to adapt to faster exploitation cycles and focus on reachability analysis to prioritize vulnerability remediation.