Mirai-Style Botnet Targets Vulnerable TP-Link Routers via CVE-2023-33538
Hackers are actively scanning for unpatched TP-Link home routers to deploy Mirai-style malware, exploiting CVE-2023-33538, a command injection flaw in the web management interface of several legacy models. The vulnerability affects TL-WR940N (v2/v4), TL-WR740N (v1/v2), and TL-WR841N (v8/v10) all end-of-life devices that no longer receive security updates.
The bug resides in the /userRpm/WlanNetworkRpm.htm endpoint, where unsanitized input in the ssid1 field can be passed directly into a shell command, allowing arbitrary code execution. While public proof-of-concept exploits exist, recent attacks contain critical errors: many target the wrong parameter (ssid instead of ssid1), lack valid session tokens, and rely on tools like wget, which are absent in the routers’ restricted BusyBox environment.
Despite these flaws, researchers confirmed the vulnerability is exploitable with valid credentials. Attackers have attempted to download an ELF binary (arm7) from 51.38.137[.]113, a Mirai-like botnet payload linked to the Condi family. Once executed, the malware connects to a command-and-control server, enabling DDoS attacks and self-updating across multiple architectures.
TP-Link has advised replacing affected devices, as no patches will be issued. Security recommendations include disabling remote management, segmenting IoT networks, and enforcing strong admin passwords. Organizations can detect related activity by monitoring traffic to known Mirai infrastructure and investigating unusual outbound connections from these routers.
Source: https://gbhackers.com/tp-link-routers/
TP-Link cybersecurity rating report: https://www.rankiteo.com/company/tp-link-corporation
"id": "TP-1776716855",
"linkid": "tp-link-corporation",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of affected TP-Link '
'router models (TL-WR940N, '
'TL-WR740N, TL-WR841N)',
'industry': 'Networking Hardware',
'name': 'TP-Link',
'type': 'Technology Manufacturer'}],
'attack_vector': 'Command Injection',
'customer_advisories': 'TP-Link has advised replacing affected devices as no '
'patches will be issued.',
'description': 'Hackers are actively scanning for unpatched TP-Link home '
'routers to deploy Mirai-style malware, exploiting '
'CVE-2023-33538, a command injection flaw in the web '
'management interface of several legacy models. The '
'vulnerability affects TL-WR940N (v2/v4), TL-WR740N (v1/v2), '
'and TL-WR841N (v8/v10), all end-of-life devices that no '
'longer receive security updates. The bug resides in the '
'`/userRpm/WlanNetworkRpm.htm` endpoint, where unsanitized '
'input in the ssid1 field can be passed directly into a shell '
'command, allowing arbitrary code execution. Despite flaws in '
'attack attempts, the vulnerability is exploitable with valid '
'credentials. Attackers download an ELF binary (arm7) from '
'51.38.137[.]113, a Mirai-like botnet payload linked to the '
'Condi family, enabling DDoS attacks and self-updating across '
'multiple architectures.',
'impact': {'brand_reputation_impact': 'Potential reputational damage for '
'TP-Link',
'operational_impact': 'Potential DDoS attacks, unauthorized remote '
'control',
'systems_affected': 'TP-Link routers (TL-WR940N, TL-WR740N, '
'TL-WR841N)'},
'lessons_learned': 'End-of-life devices pose significant security risks; '
'network segmentation and strong credentials are critical '
'for IoT security.',
'motivation': 'DDoS Attacks, Botnet Expansion',
'post_incident_analysis': {'corrective_actions': 'Replace vulnerable devices, '
'implement network '
'segmentation, and enhance '
'monitoring',
'root_causes': 'Unpatched command injection '
'vulnerability (CVE-2023-33538) in '
'end-of-life TP-Link routers'},
'recommendations': 'Replace affected TP-Link routers, disable remote '
'management, segment IoT networks, enforce strong admin '
'passwords, and monitor for suspicious traffic.',
'references': [{'source': 'Cybersecurity Research'}],
'response': {'containment_measures': 'Disabling remote management, segmenting '
'IoT networks, enforcing strong admin '
'passwords',
'enhanced_monitoring': 'Monitoring traffic to known Mirai '
'infrastructure and unusual outbound '
'connections',
'network_segmentation': 'Recommended',
'remediation_measures': 'Replacing affected devices (no patches '
'available)'},
'title': 'Mirai-Style Botnet Targets Vulnerable TP-Link Routers via '
'CVE-2023-33538',
'type': 'Botnet Deployment',
'vulnerability_exploited': 'CVE-2023-33538'}