Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

CVE-2023-33538: A Persistent Vulnerability in TP-Link Routers Exposed for Over a Year



Hackers have been attempting to exploit a serious vulnerability in outdated TP-Link routers for over a year, but so far without success. The vulnerability, tracked as CVE-2023-33538, is a command injection vulnerability in the /userRpm/WlanNetworkRpm component that impacts several TP-Link router models. Despite extensive efforts by attackers, no successful exploitation has been seen so far, highlighting the importance of timely patching and strong security measures.

  • Hackers have been trying to exploit CVE-2023-33538 in TP-Link routers for over a year without success.
  • The vulnerability is a command injection vulnerability in the /userRpm/WlanNetworkRpm component that impacts several router models.
  • Attackers are sending HTTP GET requests with malicious input to abuse the ssid parameter, but no successful exploitation has been seen so far.
  • The attack vector resembles botnet behavior and is linked to Mirai-like malware.
  • Palo Alto Networks observed a Mirai variant in the malicious ELF binary downloaded by attackers.
  • Successful attacks require authentication, but the system environment is restricted with limited tools, limiting the impact of the exploit.


    • In a shocking revelation, hackers have been attempting to exploit a serious vulnerability in outdated TP-Link routers for over a year, but so far without success. The vulnerability, tracked as CVE-2023-33538, is a command injection vulnerability in the /userRpm/WlanNetworkRpm component that impacts several TP-Link router models.

    The vulnerability was first disclosed in June 2023 and added to the KeV catalog by CISA in June 2025. According to Palo Alto Networks, the company's telemetry systems detected active, large-scale exploitation attempts for CVE-2023-33538 around the time of the addition to the KeV catalog. However, despite the extensive efforts of attackers, no successful exploitation has been seen so far.

    The vulnerability lies in the router's web interface, specifically in how it handles the ssid1 parameter from the /userRpm/WlanNetworkRpm.htm endpoint. When the system processes this input, it does not clean or validate it properly, allowing an attacker to inject system commands that later get passed to a shell and executed.

    The attack vector used by attackers involves sending HTTP GET requests to the /userRpm/WlanNetworkRpm.htm endpoint, trying to abuse the ssid parameter to run multiple commands. They first downloaded a malicious ELF binary named arm7 from a remote server into /tmp, then changed its permissions to make it executable, and finally ran it with a specific argument.

    The activity resembles botnet behavior, often linked to Mirai-like malware. The requests also used Basic Authentication with the default credentials admin:admin, encoded in Base64.

    Palo Alto Networks observed that the arm7 binary found in their telemetry appears to be a Mirai variant. It is similar to the one used in the Condi IoT botnet, with multiple examples of the string condi in the file's code. The malware can reply with a status message, start or stop operations, activate a lockdown mode, or launch an embedded HTTP server. It can also download updated malware versions depending on the command received.

    If instructed, the malware turns the infected device into a web server. It randomly selects a port, starts an HTTP service, and listens for connections. In this mode, it can distribute malware binaries to other infected devices, helping the botnet spread.

    A detailed analysis of the exploit for CVE-2023-33538 on a TP-Link router was published by Palo Alto Networks to better understand the reason for the failure. The vulnerability sits in the router's web interface, specifically in how it handles the ssid1 parameter from the /userRpm/WlanNetworkRpm.htm endpoint.

    When the system processes this input, it does not clean or validate it properly. That mistake allows an attacker to inject system commands that later get passed to a shell and executed. The execution flow is long but simple in idea. The router takes the HTTP request, extracts the SSID value, stores it in configuration structures, and compares it with previous settings. When it detects changes, it builds a system command like iwconfig and inserts the SSID value directly into it.

    The system then runs this command through a shell, which opens the door for code execution. However, the router requires authentication, so attackers cannot exploit it without valid credentials. The system uses default or weak login setups in many cases, which increases the risk.

    Palo Alto Networks also saw important limitations in the environment. The router runs a restricted BusyBox shell with very few tools, so attackers cannot easily download or run advanced utilities. This limits the impact of the exploit in practice.

    In summary, the vulnerability is real and allows command injection through ssid1, but successful attacks depend on authentication and the very limited system environment. Neither the public PoC for CVE-2023-33538 nor the attack attempts observed in their telemetry would successfully compromise the TP-Link router environment they analyzed. However, their deep dive into the firmware and its emulation reveals a significant gap between the theoretical vulnerability and its practical, real-world application.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/CVE-2023-33538-A-Persistent-Vulnerability-in-TP-Link-Routers-Exposed-for-Over-a-Year-ehn.shtml

  • https://securityaffairs.com/191040/hacking/cve-2023-33538-under-attack-for-a-year-but-exploitation-still-unsuccessful.html

  • https://www.securityweek.com/hackers-fail-to-exploit-flaw-in-discontinued-tp-link-routers/

  • https://origin-unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/

  • https://nvd.nist.gov/vuln/detail/CVE-2023-33538

  • https://www.cvedetails.com/cve/CVE-2023-33538/

  • https://en.wikipedia.org/wiki/Mirai_(malware)

  • https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

  • https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389

  • https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html

  • https://cybersecuritynews.com/new-phishing-attack-uses-basic-auth-urls/

  • https://www.bleepingcomputer.com/news/security/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks/


    • Published: Mon Apr 20 10:59:27 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us