Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers

Summary

Palo Alto Networks reports that attackers have been attempting to exploit CVE-2023-33538, a command injection vulnerability in discontinued TP-Link router models (TL-WR940N, TL-WR740N, TL-WR841N), for over a year without success. The exploitation attempts involved Mirai-based payloads similar to Condi IoT botnet binaries, but failed due to errors in the exploit code, including missing authentication handling, incorrect parameter targeting, and reliance on unavailable utilities. CISA added the flaw to its Known Exploited Vulnerabilities catalog in June 2024, urging federal agencies to discontinue use of these end-of-life devices.

Full text

Hackers have been targeting a vulnerability in discontinued TP-Link routers for a year, so far failing to successfully exploit it, Palo Alto Networks reports. Tracked as CVE-2023-33538 (CVSS score of 8.8), the flaw is described as an authenticated command injection issue rooted in the lack of sanitization of the ssid1 parameter in HTTP GET requests. “An attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router,” Palo Alto Networks explains. The weakness impacts TP-Link’s TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10 router models, the cybersecurity firm says. Proof-of-concept (PoC) exploit code targeting the CVE has been publicly available for almost three years. In June last year, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, warning that it affects end-of-life (EoL) and end-of-service (EoS) products, and urging federal agencies to discontinue the use of these devices immediately.Advertisement. Scroll to continue reading. Now, Palo Alto Networks says the activity surrounding CVE-2023-33538’s exploitation that it has been tracking since June last year has involved Mirai-based payloads similar to the Condi IoT botnet binaries. The payload was designed to turn the infected devices into HTTP servers that would deliver malware binaries to requesting clients (other infected devices). Palo Alto Networks’ dive into the exploitation attempts has confirmed the existence of the underlying vulnerability, while uncovering errors in the exploit code that prevented attackers from successfully exploiting the CVE. Hackers, it says, attempted to exploit the bug without authentication, targeted the wrong parameter, and relied on a utility not present in the vulnerable devices’ BusyBox environment. “This demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks,” the cybersecurity firm says. Successful exploitation of the command injection issue, Palo Alto Networks explains, could lead to denial-of-service (DoS) conditions or could allow attackers to achieve persistent access to the vulnerable devices. Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild Related: Cursor AI Vulnerability Exposed Developer Devices Related: 53 DDoS Domains Taken Down by Law Enforcement Related: 100 Chrome Extensions Steal User Data, Create Backdoor Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cursor AI Vulnerability Exposed Developer Devices53 DDoS Domains Taken Down by Law EnforcementArtemis Emerges From Stealth With $70 Million in FundingSplunk Enterprise Update Patches Code Execution VulnerabilityNIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical SoftwareCisco Patches Critical Vulnerabilities in Webex, ISERansomware Hits Automotive Data Expert AutovistaCapsule Security Emerges From Stealth With $7 Million in Funding Latest News Tycoon 2FA Loses Phishing Kit Crown Amid Surge in AttacksWhite House Chief of Staff to Meet With Anthropic CEO Over Its New AI TechnologyCoChat Launches AI Collaboration Platform to Combat Shadow AIIn Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker ArrestedAnother DraftKings Hacker Sentenced to PrisonLawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ FollowedRecent Apache ActiveMQ Vulnerability Exploited in the WildTwo North Korean IT Worker Scheme Facilitators Jailed in the US Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2023-33538
• malware — Condi
• malware — Mirai

Entities