Find notable cyber news and cases, enriched with sources, timelines, and signals.

TP-Link router authenticated command injection (CVE-2023-33538)

Vulnerability
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2023-33538 in discontinued TP-Link routers is still being probed, leaving exposed devices at risk of arbitrary command execution and denial of service if attackers succeed. The flaw is an authenticated command injection bug in the ssid1 parameter of HTTP GET requests, and it affects TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10. A public proof-of-concept exploit has been available for nearly three years, and defenders have tracked the activity since June last year. The observed exploit attempts have failed so far because the code was incomplete and used the wrong parameter.

Related Happenings

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

Everest Forms Pro CVE-2026-3300 active exploitation wave

Exploitation Wave
H score87 First: 05.06.2026 11:38 Last: 05.06.2026 11:38 Sources 1

About this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
H score38 First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
H score51 First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Timeline

  1. 20.04.2026 10:50 2 articles · 2mo ago

    Palo Alto Networks analyzes failed CVE-2023-33538 exploitation in TP-Link routers

    Technical Analysis Update

    Palo Alto Networks detailed ongoing targeting of CVE-2023-33538 in discontinued TP-Link routers, an authenticated command injection flaw in the ssid1 parameter of HTTP GET requests affecting TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10. The firm said exploit attempts tracked since June last year used Mirai-based payloads similar to Condi IoT botnet binaries, but the code failed because attackers skipped authentication, targeted the wrong parameter, and relied on a BusyBox utility missing from the vulnerable devices. Successful exploitation could enable arbitrary system command execution, denial of service, or persistent access, and public proof-of-concept exploit code has been available for almost three years.

    Show sources