TP-Link Routers Under Attack: Mirai Exploitation via Critical Vulnerability
Active scanning campaigns are targeting vulnerable TP-Link home routers to deploy Mirai-style malware, exploiting the CVE-2023-33538 vulnerability in a new wave of automated attacks. Research confirms that while current exploit attempts contain implementation flaws, the underlying command injection flaw remains highly dangerous when combined with default credentials and outdated firmware.
Vulnerability Details
The flaw resides in the /userRpm/WlanNetworkRpm.htm endpoint, which processes Wi-Fi configuration parameters. Attackers can inject arbitrary system commands through the ssid1 field without proper sanitization, allowing full device takeover. Technical analysis shows vulnerable devices execute commands via execve("/bin/sh") calls:

execve function call triggering shell command execution (Source: Unit42)Affected models—TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10—are all end-of-life without security updates. Public proof-of-concept exploits demonstrate how ssid1 inputs pass directly into shell commands.
Mirai Botnet Campaign
Automated HTTP GET targeting /userRpm/WlanNetworkRpm.htm surged after CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog in June 2025. Malicious requests inject command chains via SSID fields to download an ELF binary (arm7) from IP 51.38.137[.]113:

The arm7 binary exhibits Mirai botnet characteristics, with references to the “condi” family seen in IoT botnets. Once executed, it connects to command-and-control servers, updates across architectures, and converts routers into DDDoS weapons.
Flawed Exploits, Real Danger
Despite widespread scanning, observed attacks contain critical flaws:
- Wrong targeting: Many requests use
ssidinstead of vulnerablessid1field - Authentication bypass failure: Exploits use
admin:adminheaders without valid session tokens - Missing tools: Firmware lacks
wgetfor downloads, blocking payload execution
However, firmware emulation confirms the vulnerability is exploitable with correct credentials. Default or weak passwords create high-risk infection vectors.
Mitigation Recommendations
Vendor Advice: TP-Link urges replacing devices with supported hardware and avoiding default credentials. CISA’s KEV guidance recommends:
- Disable remote management in router settings
- Segment IoT devices from critical networks
- Enforce strong, unique admin passwords
Defender Actions: Block attacks via URL/DNS filtering, intrusion prevention, and Mirai-linked infrastructure monitoring. Replace vulnerable units promptly and investigate unusual outbound connections or login attempts.