How were TP-Link routers exploited by Chinese hackers?

Chinese hacking groups used vulnerabilities in TP-Link routers to create botnets, such as Quad7, for credential-theft operations targeting U.S. entities.

What are the implications of this lawsuit for consumers?

The lawsuit underscores the importance of scrutinizing the security and sourcing of networking devices to protect against potential cyber threats.

Texas Sues TP-Link Over Chinese Hacking Risks

Texas Attorney General files lawsuit against TP-Link for deceptive marketing and security vulnerabilities exploited by Chinese hackers.

Published: February 20, 2026

Share this on:

Executive Summary

In February 2026, the Texas Attorney General filed a lawsuit against TP-Link Systems Inc., alleging deceptive marketing practices and security vulnerabilities in their networking devices. The suit claims that TP-Link misled consumers by labeling products as 'Made in Vietnam' while sourcing components from China, potentially exposing users to Chinese state-sponsored cyberattacks. The lawsuit highlights instances where TP-Link routers were exploited by Chinese hacking groups, such as the Quad7 botnet, to conduct credential-theft operations targeting U.S. entities. This legal action underscores the growing concern over supply chain security and the integrity of networking equipment used by consumers and businesses. As cyber threats evolve, ensuring transparency in product sourcing and robust security measures in networking devices becomes increasingly critical to protect against state-sponsored cyber espionage and attacks.

Why This Matters Now

The lawsuit against TP-Link highlights the urgent need for transparency in supply chains and robust security measures in networking devices to protect against state-sponsored cyber threats.

Attack Path Analysis

Chinese state-sponsored hackers exploited firmware vulnerabilities in TP-Link routers to gain initial access, escalated privileges to control the devices, moved laterally to build a botnet, established command and control channels, exfiltrated sensitive data, and launched password-spraying attacks against Microsoft 365 accounts.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

High

Command & Control

High

Exfiltration

Mediuminferred

Impact

High

Initial Compromise

Description

Attackers exploited firmware vulnerabilities in TP-Link routers to gain unauthorized access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-9377
CVSS 7.2
A remote command execution vulnerability in TP-Link routers allows unauthenticated attackers to execute arbitrary commands on the device.
Affected Products:
TP-Link Archer C7 – V2
TP-Link TL-WR841N/ND – V9
Exploit Status:
exploited in the wild
References:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://www.techradar.com/pro/security/worrying-tp-link-router-flaws-could-let-botnets-attack-your-microsoft-365-accounts-so-update-now
CVE-2023-50224
CVSS 6.5
An authentication bypass vulnerability in TP-Link routers allows attackers to access the device without proper credentials.
Affected Products:
TP-Link Archer C7 – V2
TP-Link TL-WR841N/ND – V9
Exploit Status:
exploited in the wild
References:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://www.techradar.com/pro/security/worrying-tp-link-router-flaws-could-let-botnets-attack-your-microsoft-365-accounts-so-update-now

MITRE ATT&CK® Techniques

Initial Access

T1195.003

Compromise Hardware Supply Chain

Initial Access

T1195.002

Compromise Software Supply Chain

Defense Evasion

T1078

Valid Accounts

Credential Access

T1110.003

Brute Force: Password Spraying

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Command and Control

T1568.002

Dynamic Resolution: Domain Generation Algorithms

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Control ID: 6.2

The exploitation of firmware vulnerabilities in TP-Link routers indicates a failure to apply timely security patches, compromising system integrity and exposing cardholder data to potential breaches.

NYDFS 23 NYCRR 500 – Application Security

Control ID: 500.08

The presence of exploitable vulnerabilities in TP-Link's firmware suggests inadequate application security practices, violating the requirement to implement secure development practices for in-house developed applications.

DORA – ICT Risk Management Framework

Control ID: Article 6

The incident highlights deficiencies in TP-Link's ICT risk management framework, as the exploitation of supply chain vulnerabilities indicates a lack of comprehensive risk assessment and mitigation strategies.

CISA ZTMM 2.0 – Implement supply chain risk management practices to ensure the security of products and services.

Control ID: Supply Chain Risk Management

The compromise of TP-Link's supply chain underscores the necessity for robust supply chain risk management practices to prevent adversaries from exploiting hardware and software vulnerabilities.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a failure to implement appropriate cybersecurity risk management measures, as required by the NIS2 Directive, leading to the exploitation of network devices and potential disruption of essential services.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

TP-Link router vulnerabilities enable Chinese state-backed lateral movement and encrypted traffic interception across telecommunications infrastructure, compromising critical network security and customer data protection.

Government Administration

Supply chain compromise through Chinese-manufactured networking equipment creates national security risks, enabling state-sponsored surveillance and potential exfiltration of sensitive government communications and data.

Financial Services

Banking networks using compromised TP-Link devices face credential theft botnets and unauthorized access, violating PCI compliance requirements and exposing customer financial data to exfiltration.

Health Care / Life Sciences

Healthcare organizations using affected networking equipment risk HIPAA violations through unencrypted traffic exposure and potential lateral movement attacks compromising protected health information systems.

Sources

Texas sues TP-Link over Chinese hacking risks, user deceptionhttps://www.bleepingcomputer.com/news/security/texas-sues-tp-link-over-chinese-hacking-risks-user-deception/
Verified

Microsoft: Chinese hackers use Quad7 botnet to steal credentialshttps://www.bleepingcomputer.com/news/security/microsoft-chinese-hackers-use-quad7-botnet-to-steal-credentials/

Verified

Worrying TP-Link router flaws could let botnets attack your Microsoft 365 accounts - so update nowhttps://www.techradar.com/pro/security/worrying-tp-link-router-flaws-could-let-botnets-attack-your-microsoft-365-accounts-so-update-now

Verified

Frequently Asked Questions

The lawsuit alleges that TP-Link engaged in deceptive marketing by mislabeling products and failed to secure devices against exploitation by Chinese state-sponsored hackers.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit vulnerabilities, escalate privileges, and move laterally within the network, thereby reducing the overall blast radius of the attack.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit firmware vulnerabilities may have been constrained, reducing the likelihood of unauthorized access.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges may have been constrained, limiting their control over compromised devices.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the network may have been constrained, limiting the spread of the botnet.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels may have been constrained, limiting the attacker's ability to orchestrate further attacks.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The exfiltration of sensitive data may have been constrained, limiting the attacker's ability to remove data from the network.

Impact (Mitigations)

The scope of the password-spraying attacks may have been constrained, limiting potential account compromises.

Impact at a Glance

Affected Business Functions

Network Security
Data Privacy
User Authentication

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of user credentials and sensitive data due to compromised routers.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within networks.
• Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
• Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic.
• Ensure regular firmware updates and vulnerability management for all network devices.
• Conduct continuous monitoring and anomaly detection to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Texas Sues TP-Link Over Chinese Hacking Risks

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-9377

Affected Products:

Exploit Status:

References:

CVE-2023-50224

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Compromise Hardware Supply Chain

Compromise Software Supply Chain

Valid Accounts

Brute Force: Password Spraying

Application Layer Protocol: Web Protocols

Dynamic Resolution: Domain Generation Algorithms

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

NYDFS 23 NYCRR 500 – Application Security

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Implement supply chain risk management practices to ensure the security of products and services.

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Telecommunications

Government Administration

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads