Exploitation Attempts on TP-Link Routers via CVE-2023-33538 Linked to Mirai Malware

Exploitation Attempts on TP-Link Routers via CVE-2023-33538 Linked to Mirai Malware

First seen 17 Apr 2026, 18:32 UTC GbhackersCybersecuritydiveweb.archive.orgCybersecuritynewsSecurityaffairs.Co+3 84% similarity 54.9

Article Content

Browse articles
ThreatCluster

Hackers are actively targeting a command injection vulnerability, CVE-2023-33538, affecting several end-of-life TP-Link router models, including TL-WR940N and TL-WR841N. This vulnerability allows attackers to execute arbitrary commands on the routers' web management interface, particularly through the ssid1 parameter. While exploitation attempts have been detected, they have not been successful due to critical implementation errors, such as the need for valid authentication and the use of incorrect parameters. The vulnerability was disclosed in June 2023 and added to CISA's Known Exploited Vulnerabilities catalog in June 2025. The observed payloads show similarities to Mirai botnet malware, indicating a potential for creating a new botnet. Users are advised to replace these devices as they no longer receive security updates. Default credentials should also be changed to mitigate risks. The situation remains under close observation as researchers continue to analyze the threat.

Key Points: • CVE-2023-33538 affects multiple end-of-life TP-Link router models. • Exploitation attempts are linked to Mirai-like malware but have not succeeded yet. • Users are urged to replace vulnerable routers and change default credentials.

ThreatCluster AI

Timeline

2021-04-02
CVE-2020-27600 published
2022-02-17
CVE-2021-46315 published
2023-06-07
CVE-2023-33538 published
2025-06-16
CVE-2023-33538 added to CISA KEV catalog
2025-06-23
First public proof of concept for CVE-2023-33538
Recent
Active exploitation attempts detected targeting TP-Link routers

Community

Browse all →