CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Unit 42 researchers investigated active exploitation attempts targeting CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N). Using firmware emulation and reverse engineering of the httpd binary, they confirmed the vulnerability is real but found the in-the-wild attacks were flawed: attackers used the wrong parameter (ssid instead of ssid1), skipped authentication, and relied on wget which is absent from the firmware's limited BusyBox environment. The researchers confirmed that authenticated exploitation via the ssid1 parameter does work, and that default credentials (admin:admin) make authentication trivial. The Mirai-variant malware (arm7) analyzed supports C2 commands, self-updating across multiple CPU architectures, and can turn infected devices into HTTP servers that spread malware. TP-Link confirmed no patches will be issued for these end-of-life devices and recommends replacement.

A Deep Dive Into Attempted Exploitation of CVE-2023-33538