Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Uses AI Scanning to Discover Vulnerabilities Pre-Exploit
July 9, 2026
AI-Powered Attack Breaches AWS Cloud Environment in 72 Hours
July 9, 2026
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Home/Threats/Critical TP-Link Router Vulnerability CVE-2023-33538 Exploited by Mirai Malware
Threats

Critical TP-Link Router Vulnerability CVE-2023-33538 Exploited by Mirai Malware

Key Takeaways Threat actors are actively leveraging a critical command injection vulnerability, CVE-2023-33538, in older, end-of-life TP-Link Wi-Fi routers. The flaw allows attackers to install...

Marcus Rodriguez
Marcus Rodriguez
April 17, 2026 4 Min Read
51 0

Key Takeaways

  • Threat actors are actively leveraging a critical command injection vulnerability, CVE-2023-33538, in older, end-of-life TP-Link Wi-Fi routers.
  • The flaw allows attackers to install Mirai-based botnet malware, specifically a variant known as Condi IoT botnet malware, on compromised devices.
  • Affected models include the TP-Link TL-WR940N (versions 2 and 4), TL-WR740N (versions 1 and 2), and TL-WR841N (versions 8 and 10).
  • These routers no longer receive official security updates, meaning no vendor patch is available for this vulnerability.
  • The vulnerability carries a CVSS score of 8.8, indicating high severity, and exploitation requires authenticated access to the router’s web interface.

Cybersecurity researchers have identified active exploitation of a severe vulnerability, tracked as CVE-2023-33538, in several older TP-Link Wi-Fi router models. Attackers are leveraging this flaw to deploy Mirai-based botnet malware on devices that have reached their end-of-life (EoL) and are no longer supported with security updates by the vendor.

Table Of Content

  • Key Takeaways
  • Vulnerability Details and Affected Devices
  • The Attack Chain
  • Mirai-Based Botnet Operation
  • Inside the Arm7 Malware Binary
  • What You Should Do

Vulnerability Details and Affected Devices

The critical vulnerability, CVE-2023-33538, stems from insufficient input validation within the web management interface of specific TP-Link routers. This flaw allows for command injection, enabling unauthorized execution of arbitrary commands on the device. The vulnerability has a CVSS score of 8.8, highlighting its significant risk.

The models confirmed to be susceptible to these attacks include:

  • TP-Link TL-WR940N (versions 2 and 4)
  • TP-Link TL-WR740N (versions 1 and 2)
  • TP-Link TL-WR841N (versions 8 and 10)

Crucially, these devices are no longer receiving official firmware updates or security patches from TP-Link, leaving them permanently vulnerable to this exploit.

The Attack Chain

Attackers exploit CVE-2023-33538 by sending specially crafted HTTP GET requests to the /userRpm/WlanNetworkRpm endpoint of the router’s web management interface. Within these requests, malicious commands are embedded in the ssid parameter. Due to the lack of proper input sanitization, the router’s firmware processes these commands without detecting their harmful nature, leading to unauthenticated command execution.

Upon successful exploitation, the injected commands direct the router to download an ELF binary, identified as “arm7,” from a remote server located at IP address 51.38.137[.]113. Following the download, the malware is granted full execution permissions and immediately launched on the compromised device.

Mirai-Based Botnet Operation

Analysts and researchers at Palo Alto Networks’ Unit 42 identified this malicious activity after CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) catalog in June 2025. Their telemetry systems recorded widespread, automated exploitation attempts targeting this specific endpoint across numerous vulnerable devices around the same period.

The downloaded “arm7” binary is a variant of the Condi IoT botnet malware, a known Mirai-based family implicated in previous cyber campaigns. Once active on the router, the malware establishes a connection to a command-and-control (C2) server, effectively enlisting the device into a larger botnet. The C2 domain cnc.vietdediserver[.]shop has been directly linked to these Mirai-like botnet operations and confirmed as malicious.

Inside the Arm7 Malware Binary

After infiltrating a device, the “arm7” binary executes a series of programmed actions to ensure persistence and expand the botnet. It actively listens for specific byte-pattern commands from its C2 server, responding with heartbeat signals, initiating self-updates, and launching internal HTTP server functionalities.

A notable feature of this malware is its self-update mechanism. The update_bins() function within the binary connects back to the hard-coded IP address 51.38.137[.]113 on TCP port 80. From this server, it retrieves updated versions of itself, compiled for eight different CPU architectures, including arm6, mips, sh4, and x86_64, demonstrating its adaptability across various IoT devices.

Furthermore, the “arm7” binary initiates its own HTTP server on the infected router. This server operates on a randomly selected port between 1024 and 65535. Once active, this local server facilitates the distribution of fresh malware copies to any other devices that connect to it, enabling a self-propagating infection without direct attacker intervention. This mechanism allows each newly compromised host to become a vector for recruiting additional victims into the botnet.

Despite the observed scale of these in-the-wild exploitation attempts, researchers noted technical inaccuracies in the attacks. The attackers mistakenly targeted the ssid parameter instead of the correctly vulnerable ssid1 parameter, and their injected commands relied on wget, a utility typically absent from the routers’ limited BusyBox environments. Nevertheless, the research team confirmed that the underlying vulnerability remains exploitable by a more precise attacker utilizing the correct parameters.

What You Should Do

  • Replace EoL Devices: TP-Link has confirmed that the affected routers are end-of-life and will not receive any further patches. Users are strongly advised to replace these vulnerable units with supported, up-to-date hardware.
  • Change Default Credentials: Since exploitation requires authenticated access to the router’s web interface, immediately change any default “admin:admin” login credentials to strong, unique passwords.
  • Monitor Network Traffic: Network administrators should actively monitor outbound traffic for connections to known malicious domains and IP addresses, such as 51.38.137[.]113 and cnc.vietdediserver[.]shop.
  • Isolate or Remove Affected Devices: Any affected TP-Link router models still active on a network should be immediately isolated from critical systems or removed entirely to prevent further compromise.
  • Implement Network Segmentation: For any legacy devices that cannot be immediately replaced, implement strict network segmentation to limit their potential impact if compromised.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerMalwarePatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Worm Spreads via Email to Compromise Industrial Control Systems

Next Post

Censys: 6 Million Internet-Facing FTP Servers Remain Exposed

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical HP Linux Printing Bug (CVE-2023-1704) Lets Attackers Run Code
July 9, 2026
Fake Paysafe, Skrill, Neteller Packages Steal API Keys and Tokens
July 9, 2026
Windows Update Installs LG Monitor App Pushing McAfee Ads
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us