Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers

Hackers have been targeting a vulnerability in discontinued TP-Link routers for a year, so far failing to successfully exploit it, Palo Alto Networks reports. Tracked as CVE-2023-33538 (CVSS score of 8.8), the flaw is described as an authenticated command injection issue rooted in the lack of sanitization of the ssid1 parameter in HTTP GET requests. “An attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router,” Palo Alto Networks explains. The weakness impacts TP-Link’s TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10 router models, the cybersecurity firm says. Proof-of-concept (PoC) exploit code targeting the CVE has been publicly available for almost three years. In June last year, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, warning that it affects end-of-life (EoL) and end-of-service (EoS) products, and urging federal agencies to discontinue the use of these devices immediately. Now, Palo Alto Networks says the activity surrounding CVE-2023-33538’s exploitation that it has been tracking since June last year has involved Mirai-based payloads similar to the Condi IoT botnet binaries. The payload was designed to turn the infected devices into HTTP servers that would deliver malware binaries to requesting clients (other infected devices). Palo Alto Networks’ dive into the exploitation attempts has confirmed the existence of the underlying vulnerability, while uncovering errors in the exploit code that prevented attackers from successfully exploiting the CVE. Hackers, it says, attempted to exploit the bug without authentication, targeted the wrong parameter, and relied on a utility not present in the vulnerable devices’ BusyBox environment. “This demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks,” the cybersecurity firm says. Successful exploitation of the command injection issue, Palo Alto Networks explains, could lead to denial-of-service (DoS) conditions or could allow attackers to achieve persistent access to the vulnerable devices. Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild Related: Cursor AI Vulnerability Exposed Developer Devices Related: 53 DDoS Domains Taken Down by Law Enforcement Related: 100 Chrome Extensions Steal User Data, Create Backdoor WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cursor AI Vulnerability Exposed Developer Devices 53 DDoS Domains Taken Down by Law Enforcement Artemis Emerges From Stealth With $70 Million in Funding Splunk Enterprise Update Patches Code Execution Vulnerability NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Cisco Patches Critical Vulnerabilities in Webex, ISE Ransomware Hits Automotive Data Expert Autovista Capsule Security Emerges From Stealth With $7 Million in Funding Latest News Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks White House Chief of Staff to Meet With Anthropic CEO Over Its New AI Technology CoChat Launches AI Collaboration Platform to Combat Shadow AI In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested Another DraftKings Hacker Sentenced to Prison Lawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction’ Followed Recent Apache ActiveMQ Vulnerability Exploited in the Wild Two North Korean IT Worker Scheme Facilitators Jailed in the US Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email