TP-Link Router Zero-Day Lets Attackers Execute Code by Bypassing ASLR

Researchers have uncovered a zero-day vulnerability in TP-Link routers that allows attackers to bypass Address Space Layout Randomization (ASLR) and execute arbitrary code remotely.

Tracked as CVE-2025-9961, this flaw resides in the CWMP (TR-069) binary and can be triggered through malformed SOAP requests, granting full control of affected devices.

A detailed technical walkthrough of discovery, exploitation, and remediation follows, along with a concise summary of the vulnerability’s impact and prerequisites.

CVE Details and Impact

The vulnerability stems from an unchecked stack-based buffer overflow in the CWMP parameter-setting routine.

By delivering a carefully crafted payload via a custom ACS server, attackers can overwrite the program counter and hijack execution flow.

Despite ASLR being active, brute-forcing the base address space yields reliable exploitation when combined with automated service restarts via the web UI.

A ret2libc approach leveraging libc’s system() function ultimately spawns a reverse shell on the victim network.