TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts

TP-Link has issued a warning about a botnet exploiting two vulnerabilities to infect small office/home (SOHO) routers, which are then weaponized to attack Microsoft 365 accounts.

The vulnerabilities affect the Archer C7 and TL-WR841N/ND routers, though other models may also be at risk. Despite the fact that these routers have reached end-of-life (EOL), TP-Link has nonetheless released firmware updates to address the flaws.

If you have a router issued by your internet service provider (ISP) this also deserves checking. Several ISPs have used the TP-Link Archer C7 and TL-WR841N/ND routers, sometimes rebranding them for distribution to customers, especially in Europe and North America. For example, Dutch ISP Ziggo is known to have rebranded the TP-Link Archer C7 as the “Wifibooster Ziggo C7”, supplying it to customers with Ziggo-specific firmware.

The two vulnerabilities, tracked as CVE-2025-50224 and CVE-2025-9377, are chained to add a router to a botnet. CVE-2025-50224 is a vulnerability that allows an attacker to steal passwords from the router and CVE-2025-9377 is a known Parental Control command injection RCE exploit, allowing the attacker to run their code on the router.

The botnet, called Quad7 (aka 7777) uses the infected routers to perform password-spraying attacks against Microsoft 365 accounts. Password spraying literally means trying common passwords across many accounts or using many common passwords against the same account.

Last year, Microsoft warned about the same botnet but the specific vulnerabilities were unknown at the time. Detection remains difficult for defenders, as the botnet uses thousands of IP addresses from home users and small businesses. TP-Link urges owners of these router models to install the updated firmware or switch to a fully supported router. The company is also investigating reports that other models might be vulnerable. Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has also issued advisories for these two flaws.

Recommendations for owners of TP-Link routers

It is rare that a manufacturer would issue a firmware update for a EOL product, which emphasizes the importance of deploying that update. Being a part of a botnet is not just a danger to others, it can considerably slow down your home device(s).

• Check if your router is an Archer C7 or TL-WR841N/ND, or another older TP-Link model. If so, update your firmware immediately with the version provided by TP-Link.
• If firmware updates are no longer provided or your router is out of support, strongly consider upgrading to a supported model.
• Change your router’s admin password to a strong, unique value, meaning you should avoid reusing passwords from other accounts.
• Disable remote management features unless absolutely necessary and always check that parental control pages are only accessible by authenticated users.

Recommendations for Microsoft 365 users

Since the botnet is used at this moment in time to take over Microsoft 365 accounts, there are a few things you can do to make this a lot harder.

• Use a strong, unique password for your Microsoft 365 account. Avoid using common or guessable words and passwords.
• Enable multi-factor authentication (MFA) for added protection. This significantly reduces the risk of unauthorized access, even if your password is exposed.
• Watch for suspicious sign-in attempts or alerts from Microsoft, and review your login history regularly.
• If you suspect your account has been targeted, reset your password immediately and run a security checkup on your account.

Staying ahead of threats like botnets means keeping devices patched, using strong authentication practices, and remaining alert for updates on device security. Don’t wait until your router—or your Microsoft 365 account—becomes part of someone else’s attack toolkit.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.