Critical TP-Link Router Vulnerability CVE-2023-33538 Exploited by Mirai Malware
Key Takeaways Threat actors are actively leveraging a critical command injection vulnerability, CVE-2023-33538, in older, end-of-life TP-Link Wi-Fi routers. The flaw allows attackers to install...
Key Takeaways
- Threat actors are actively leveraging a critical command injection vulnerability, CVE-2023-33538, in older, end-of-life TP-Link Wi-Fi routers.
- The flaw allows attackers to install Mirai-based botnet malware, specifically a variant known as Condi IoT botnet malware, on compromised devices.
- Affected models include the TP-Link TL-WR940N (versions 2 and 4), TL-WR740N (versions 1 and 2), and TL-WR841N (versions 8 and 10).
- These routers no longer receive official security updates, meaning no vendor patch is available for this vulnerability.
- The vulnerability carries a CVSS score of 8.8, indicating high severity, and exploitation requires authenticated access to the router’s web interface.
Cybersecurity researchers have identified active exploitation of a severe vulnerability, tracked as CVE-2023-33538, in several older TP-Link Wi-Fi router models. Attackers are leveraging this flaw to deploy Mirai-based botnet malware on devices that have reached their end-of-life (EoL) and are no longer supported with security updates by the vendor.
Table Of Content
Vulnerability Details and Affected Devices
The critical vulnerability, CVE-2023-33538, stems from insufficient input validation within the web management interface of specific TP-Link routers. This flaw allows for command injection, enabling unauthorized execution of arbitrary commands on the device. The vulnerability has a CVSS score of 8.8, highlighting its significant risk.
The models confirmed to be susceptible to these attacks include:
- TP-Link TL-WR940N (versions 2 and 4)
- TP-Link TL-WR740N (versions 1 and 2)
- TP-Link TL-WR841N (versions 8 and 10)
Crucially, these devices are no longer receiving official firmware updates or security patches from TP-Link, leaving them permanently vulnerable to this exploit.
The Attack Chain
Attackers exploit CVE-2023-33538 by sending specially crafted HTTP GET requests to the /userRpm/WlanNetworkRpm endpoint of the router’s web management interface. Within these requests, malicious commands are embedded in the ssid parameter. Due to the lack of proper input sanitization, the router’s firmware processes these commands without detecting their harmful nature, leading to unauthenticated command execution.
Upon successful exploitation, the injected commands direct the router to download an ELF binary, identified as “arm7,” from a remote server located at IP address 51.38.137[.]113. Following the download, the malware is granted full execution permissions and immediately launched on the compromised device.
Mirai-Based Botnet Operation
Analysts and researchers at Palo Alto Networks’ Unit 42 identified this malicious activity after CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) catalog in June 2025. Their telemetry systems recorded widespread, automated exploitation attempts targeting this specific endpoint across numerous vulnerable devices around the same period.
The downloaded “arm7” binary is a variant of the Condi IoT botnet malware, a known Mirai-based family implicated in previous cyber campaigns. Once active on the router, the malware establishes a connection to a command-and-control (C2) server, effectively enlisting the device into a larger botnet. The C2 domain cnc.vietdediserver[.]shop has been directly linked to these Mirai-like botnet operations and confirmed as malicious.
Inside the Arm7 Malware Binary
After infiltrating a device, the “arm7” binary executes a series of programmed actions to ensure persistence and expand the botnet. It actively listens for specific byte-pattern commands from its C2 server, responding with heartbeat signals, initiating self-updates, and launching internal HTTP server functionalities.
A notable feature of this malware is its self-update mechanism. The update_bins() function within the binary connects back to the hard-coded IP address 51.38.137[.]113 on TCP port 80. From this server, it retrieves updated versions of itself, compiled for eight different CPU architectures, including arm6, mips, sh4, and x86_64, demonstrating its adaptability across various IoT devices.
Furthermore, the “arm7” binary initiates its own HTTP server on the infected router. This server operates on a randomly selected port between 1024 and 65535. Once active, this local server facilitates the distribution of fresh malware copies to any other devices that connect to it, enabling a self-propagating infection without direct attacker intervention. This mechanism allows each newly compromised host to become a vector for recruiting additional victims into the botnet.
Despite the observed scale of these in-the-wild exploitation attempts, researchers noted technical inaccuracies in the attacks. The attackers mistakenly targeted the ssid parameter instead of the correctly vulnerable ssid1 parameter, and their injected commands relied on wget, a utility typically absent from the routers’ limited BusyBox environments. Nevertheless, the research team confirmed that the underlying vulnerability remains exploitable by a more precise attacker utilizing the correct parameters.
What You Should Do
- Replace EoL Devices: TP-Link has confirmed that the affected routers are end-of-life and will not receive any further patches. Users are strongly advised to replace these vulnerable units with supported, up-to-date hardware.
- Change Default Credentials: Since exploitation requires authenticated access to the router’s web interface, immediately change any default “admin:admin” login credentials to strong, unique passwords.
- Monitor Network Traffic: Network administrators should actively monitor outbound traffic for connections to known malicious domains and IP addresses, such as
51.38.137[.]113andcnc.vietdediserver[.]shop. - Isolate or Remove Affected Devices: Any affected TP-Link router models still active on a network should be immediately isolated from critical systems or removed entirely to prevent further compromise.
- Implement Network Segmentation: For any legacy devices that cannot be immediately replaced, implement strict network segmentation to limit their potential impact if compromised.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.