The FBI told Americans in May 2025 to replace home routers that have reached end-of-life status, warning that threat actors are quietly converting those devices into proxy nodes for cybercriminal operations. The bureau’s Public Service Announcement, designated I-050725-PSA, singles out routers that no longer receive manufacturer security patches as the primary targets. The alert follows a court-authorized takedown of a botnet that had enrolled more than 200,000 consumer devices, many of them small-office and home-office routers linked to hackers sponsored by the People’s Republic of China.
Why replacing compromised routers matters right now
Routers that have passed their support lifecycle present a specific problem: they cannot be patched against newly discovered vulnerabilities because their manufacturers have stopped issuing firmware updates. When the FBI says “replace,” it is drawing a line that rebooting or resetting a device is not enough. A reboot can temporarily disrupt malware running in volatile memory, but it does nothing to close the software flaw that allowed the initial compromise. Without a patch, the same exploit can be used again within hours.
The FBI’s public service announcement spells out a short checklist: swap out unsupported hardware, apply any available firmware updates on devices that are still supported, disable remote administration features, create strong and unique passwords, and reboot as an immediate stopgap. The order of those steps matters. Replacement and patching sit at the top because they address the root cause, while rebooting is listed last as a temporary measure.
The distinction between patching and rebooting carries real consequences for households. A router that gets rebooted but never patched remains an open door. Attackers operating residential proxy networks rely on exactly this gap. They scan for devices running outdated firmware, install lightweight proxy software, and route their traffic through a victim’s home IP address. That makes criminal activity look like ordinary residential browsing, which complicates law enforcement tracing and can expose the router’s owner to unwanted scrutiny.
The DOJ takedown and the scale of the threat
The FBI’s guidance did not appear in a vacuum. A Department of Justice press release (No. 24-1173) described a court-authorized operation that disrupted a worldwide botnet composed of more than 200,000 consumer devices. Those devices included SOHO routers, and the DOJ attributed the botnet’s use to People’s Republic of China state-sponsored hackers. Investigators obtained authority under Rule 41 to seize command-and-control servers located in the United States and to send disabling commands to infected nodes.
An affidavit filed in the Western District of Pennsylvania laid out how federal agents identified the infected infrastructure. The filing described a Mirai-variant botnet and detailed the technical steps used to map command-and-control servers tied to compromised routers. Court authorization allowed investigators to take control of those servers and sever the link between the botnet operators and the hijacked devices.
Specific hardware has already been flagged. The National Vulnerability Database entry for CVE-2025-9377 identifies the TP-Link Archer C7(EU) V2 and the TP-Link TL-WR841N/ND(MS) V9 as affected models. Both are popular consumer routers sold widely in the United States and Europe. Owners of these models should check whether their hardware version still receives firmware support from TP-Link and, if not, treat the device as a candidate for immediate replacement.
Gaps in the evidence and what to watch next
Several questions remain open. The FBI and DOJ releases do not provide a U.S.-specific count of infected routers. The 200,000-device figure covers the global botnet, but neither agency has disclosed how many of those nodes sat inside American homes. Without that breakdown, it is difficult to gauge how concentrated the domestic exposure actually is.
There is also no public telemetry confirming whether the court-authorized disruption fully dismantled the botnet’s infrastructure or merely degraded it. Botnets built on consumer hardware have a well-documented pattern of reconstituting themselves after takedowns because the underlying vulnerable devices remain online. If a significant share of owners simply rebooted their routers and never replaced or patched them, those same devices could be re-enrolled by operators using the same or similar exploits.
The hypothesis that patched routers show measurably lower re-infection rates than merely rebooted ones is logical but unconfirmed by any published data. No primary source in the FBI or DOJ record supplies post-disruption re-infection statistics. Independent security researchers tracking the Quad7 botnet may eventually publish that data, but as of the FBI’s May 2025 alert, the gap persists.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
