TP-Link router authenticated command injection (CVE-2023-33538)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2023-33538 in discontinued TP-Link routers is still being probed, leaving exposed devices at risk of arbitrary command execution and denial of service if attackers succeed. The flaw is an authenticated command injection bug in the ssid1 parameter of HTTP GET requests, and it affects TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10. A public proof-of-concept exploit has been available for nearly three years, and defenders have tracked the activity since June last year. The observed exploit attempts have failed so far because the code was incomplete and used the wrong parameter.
Related Happenings
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation Wave
H score87
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
H score38
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
H score51
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveAbout this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Timeline
-
20.04.2026 10:50 2 articles · 2mo ago
Palo Alto Networks analyzes failed CVE-2023-33538 exploitation in TP-Link routers
Technical Analysis UpdatePalo Alto Networks detailed ongoing targeting of CVE-2023-33538 in discontinued TP-Link routers, an authenticated command injection flaw in the ssid1 parameter of HTTP GET requests affecting TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10. The firm said exploit attempts tracked since June last year used Mirai-based payloads similar to Condi IoT botnet binaries, but the code failed because attackers skipped authentication, targeted the wrong parameter, and relied on a BusyBox utility missing from the vulnerable devices. Successful exploitation could enable arbitrary system command execution, denial of service, or persistent access, and public proof-of-concept exploit code has been available for almost three years.
Show sources
- Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers — www.securityweek.com — 20.04.2026 10:50
- Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers — www.securityweek.com — 20.04.2026 10:50