Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TP-Link router authenticated command injection (CVE-2023-33538)

Vulnerability
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2023-33538 in discontinued TP-Link routers is still being probed, leaving exposed devices at risk of arbitrary command execution and denial of service if attackers succeed. The flaw is an authenticated command injection bug in the ssid1 parameter of HTTP GET requests, and it affects TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10. A public proof-of-concept exploit has been available for nearly three years, and defenders have tracked the activity since June last year. The observed exploit attempts have failed so far because the code was incomplete and used the wrong parameter.

Related Happenings

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

Marimo CVE-2026-39987 exploitation wave

Exploitation Wave
First: 12.04.2026 17:20 Last: 12.04.2026 17:20 Sources 1

About this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...

Open Happening

F5 BIG-IP APM active exploitation wave (CVE-2025-53521)

Exploitation Wave
First: 02.04.2026 11:25 Last: 02.04.2026 11:25 Sources 1

About this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...

Open Happening

Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave

Exploitation Wave
First: 26.03.2026 18:00 Last: 26.03.2026 18:00 Sources 1

About this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...

Open Happening

Timeline

  1. 20.04.2026 10:50 2 articles · 1mo ago

    Palo Alto Networks analyzes failed CVE-2023-33538 exploitation in TP-Link routers

    Technical Analysis Update

    Palo Alto Networks detailed ongoing targeting of CVE-2023-33538 in discontinued TP-Link routers, an authenticated command injection flaw in the ssid1 parameter of HTTP GET requests affecting TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10. The firm said exploit attempts tracked since June last year used Mirai-based payloads similar to Condi IoT botnet binaries, but the code failed because attackers skipped authentication, targeted the wrong parameter, and relied on a BusyBox utility missing from the vulnerable devices. Successful exploitation could enable arbitrary system command execution, denial of service, or persistent access, and public proof-of-concept exploit code has been available for almost three years.

    Show sources
    Open in new tab