Security Check-in Quick Hits: TP-Link RCE Flaw, BlackLock Ransomware, DNS Botnet Exploits, Evasive Ransomware Trends, and Airport Disruptions
For September 22, 2025
TP-Link Router RCE Vulnerability: A Zero-Day Threat Exposed
In the ever-evolving landscape of cybersecurity, home and small business routers remain a prime target for attackers seeking to compromise networks at their edge. Recently, a critical zero-day remote code execution (RCE) vulnerability, tracked as CVE-2025-9961, has been disclosed in TP-Link routers, specifically affecting the AX10 and AX1500 series. This flaw stems from a stack-based buffer overflow in the implementation of the Customer Premises Equipment WAN Management Protocol (CWMP), also known as TR-069, which is used for remote device management.
The vulnerability allows an authenticated attacker to execute arbitrary code remotely, but it requires a Man-in-the-Middle (MITM) attack to exploit. Security researchers from ByteRay have released a proof-of-concept (PoC) exploit that demonstrates how to bypass Address Space Layout Randomization (ASLR) protections, enabling full control over affected devices. With a CVSS score ranging from 7.2 to 8.6, successful exploitation could lead to device takeover, botnet recruitment, data interception, or even denial-of-service attacks. The issue impacts multiple firmware versions of the AX10 (V1 to V3.6) and AX1500 (V1 to V3.6), but TP-Link has released patches in versions 1.2.1 and 1.3.11, respectively.
This disclosure highlights the ongoing risks in IoT devices, where default configurations and delayed updates can turn everyday hardware into gateways for broader network breaches. Users are urged to update their firmware immediately and monitor for unusual activity. As PoCs become public, the window for exploitation narrows—proactive patching is key to staying ahead of threats.
BlackLock Ransomware: The Cross-Platform Menace on the Rise
Ransomware continues to dominate the threat landscape, and BlackLock is emerging as one of the most aggressive players in 2025. Operating as a Ransomware-as-a-Service (RaaS) model, BlackLock—rebranded from the earlier El Dorado group since March 2024—targets Windows, Linux, and VMware ESXi environments with sophisticated, cross-platform capabilities. Written in Go, it leverages the language's portability to create binaries that run seamlessly across operating systems, expanding its attack surface dramatically.
BlackLock employs double extortion tactics: it encrypts files using ChaCha20 with unique per-file keys and nonces, while exfiltrating sensitive data to pressure victims with leak threats. It supports command-line options for customization, such as targeting SMB shares for network propagation using plaintext passwords or NTLM hashes. In ESXi mode (though not fully implemented in all samples), it could shut down virtual machines before encryption. The group has hit over 40 organizations in just two months, focusing on sectors like construction, real estate, technology, manufacturing, finance, and government across countries including the US, Canada, Spain, and Japan. Affiliates are recruited via forums like RAMP, with the operator "$$$" posting aggressively to build its network.
What sets BlackLock apart is its rapid growth—a 1,425% activity spike in Q4 2024—and custom malware development, avoiding leaked builders for better evasion. Victims receive notes like "HOW_RETURN_YOUR_DATA.TXT" demanding Bitcoin. To defend, organizations should implement multi-factor authentication, regular backups, and network segmentation. BlackLock's evolution underscores the need for cross-platform defenses in an increasingly interconnected world.
New Botnet Exploits DNS Misconfigurations for Massive Malspam Campaigns
Botnets are evolving, and a newly discovered one is leveraging DNS misconfigurations and compromised routers to fuel large-scale malicious spam (malspam) operations. This botnet has hijacked over 13,000 MikroTik routers, turning them into open SOCKS4 proxies to send spoofed emails that bypass security checks like DKIM, SPF, and DMARC. The emails often masquerade as freight invoices, containing ZIP archives with malicious JavaScript that triggers PowerShell scripts connecting to a command-and-control (C2) server at IP 62.133.60.137, linked to Russian threat actors.
The botnet exploits default or weak router configurations, amplifying email delivery and obscuring origins, which renders IP-based blocking ineffective. It abuses misconfigured Sender Policy Framework (SPF) records to make spam appear legitimate, leading to higher infection rates in corporate environments. Impacts include persistence via scheduled tasks, data exfiltration, and potential for broader malware deployment. The operation blurs benign and malicious traffic, complicating detection.
Prevention requires rigorous DNS audits, router hardening (e.g., changing default credentials), and monitoring for unusual outbound traffic. This botnet exemplifies how everyday misconfigurations can be weaponized at scale—regular security hygiene is essential to disrupt such threats before they escalate.
Ransomware Continues to Evade Defenses: Insights from the Picus Blue Report
Despite advancements in cybersecurity tools, ransomware remains a persistent and evasive threat, as highlighted in the 2025 Picus Blue Report. Analyzing over 160 million Breach and Attack Simulation (BAS) results, the report reveals a drop in overall ransomware prevention from 69% in 2024 to 62% in 2025. Even more alarming is the plunge in data exfiltration prevention to just 3% from 9%, exposing organizations to devastating double extortion tactics.
Known strains like BlackByte (26% prevention) and BabLock (34%) fare poorly, while emerging ones such as FAUST, Valak, and Magniber hover around 44-45%. Malware delivery prevention has fallen to 60%, and only 14% of attacks generate alerts despite 54% being logged. These gaps stem from attackers' adaptive techniques, outpacing static defenses.
The report recommends continuous BAS testing to validate defenses, identify fixes, and build resilience. As ransomware evolves, organizations must shift from reactive to proactive strategies, including endpoint detection, user training, and zero-trust architectures, to close these critical vulnerabilities.
Cyber Attacks Disrupt Major European Airports: A Wake-Up Call for Critical Infrastructure
Critical infrastructure faced a stark reminder of its vulnerabilities when cyber attacks targeted Collins Aerospace's MUSE software, disrupting electronic check-in and baggage systems at key European airports like Heathrow, Berlin, Brussels, Dublin, and Cork. The incidents caused widespread flight delays, cancellations, and diversions, underscoring the ripple effects of supply chain attacks on global travel.
Attributed to unknown actors, the breaches highlight how interconnected systems can amplify disruptions. No data theft was reported, but the operational chaos affected thousands of passengers. This aligns with broader trends in the Check Point Threat Intelligence Report, which notes increased targeting of sectors like aviation, alongside vulnerabilities in tools like GoAnywhere MFT (CVE-2025-10035) and campaigns by groups like MuddyWater.
To mitigate, operators should enhance segmentation, conduct regular audits, and implement rapid response protocols. These attacks emphasize the need for resilient backups and diversified vendors in critical sectors—failing to do so invites cascading failures in our hyper-connected world.