CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ongoing failed exploitation attempts against unauthenticated command injection in EoL TP-Link routers (CVE-2023-33538)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Since June 2025, threat actors have persistently targeted CVE-2023-33538, an authenticated command injection vulnerability affecting several discontinued TP-Link router models including TL-WR940N, TL-WR740N, and TL-WR841N. Attempts to weaponize the flaw have repeatedly failed due to incorrect exploitation techniques, including missing authentication, mis-targeted parameters, and reliance on non-existent BusyBox utilities. Despite publicly available proof-of-concept code since 2023 and inclusion in CISA’s KEV catalog, no successful compromise has been observed. Successful exploitation could have enabled denial-of-service conditions or persistent device access, but observed payloads—linked to Mirai-derived binaries similar to Condi IoT botnet—only achieved ineffective scanning and probing activity.

Timeline

  1. 20.04.2026 10:50 1 articles · 2h ago

    Sustained failed exploitation of CVE-2023-33538 in end-of-life TP-Link routers observed through 2025

    Security vendor tracking reveals continuous but unsuccessful exploitation attempts against CVE-2023-33538 since June 2025, targeting multiple TP-Link router models. Observed attacks leveraged Mirai-derived payloads to propagate malware via HTTP servers hosted on compromised routers, but all attempts failed due to incorrect exploitation parameters and missing environment dependencies. No evidence of successful compromise or persistent access has been detected despite active scanning and probing activity.

    Show sources
    Open in new tab

Information Snippets

  • Vulnerability CVE-2023-33538 is an authenticated command injection flaw in TP-Link router models TL-WR940N (v2, v4), TL-WR740N (v1, v2), and TL-WR841N (v8, v10) due to unsanitized ssid1 parameter in HTTP GET requests.

    First reported: 20.04.2026 10:50
    1 source, 1 article
    Show sources

  • The flaw has a CVSS score of 8.8 and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in June 2025, prompting federal agencies to immediately discontinue use of affected end-of-life devices.

    First reported: 20.04.2026 10:50
    1 source, 1 article
    Show sources

  • Public proof-of-concept exploit code has been available since 2023, yet no successful exploitation has been observed despite continuous scanning and attack attempts tracked since June 2025.

    First reported: 20.04.2026 10:50
    1 source, 1 article
    Show sources

  • Exploitation attempts observed by Palo Alto Networks involved Mirai-based payloads resembling Condi IoT botnet binaries, designed to turn compromised devices into HTTP servers distributing malware to other infected hosts.

    First reported: 20.04.2026 10:50
    1 source, 1 article
    Show sources

  • Attackers failed due to multiple technical errors: targeting the flaw without authentication, mis-specifying the vulnerable parameter, and invoking BusyBox utilities not present in the targeted devices’ environment.

    First reported: 20.04.2026 10:50
    1 source, 1 article
    Show sources