htRe X j XBd DCUZeTHacRC

TP-Link Routers Under Attack: Mirai Exploitation via Critical Vulnerability

Active scanning campaigns are targeting vulnerable TP-Link home routers to deploy Mirai-style malware, exploiting the CVE-2023-33538 vulnerability in a new wave of automated attacks. Research confirms that while current exploit attempts contain implementation flaws, the underlying command injection flaw remains highly dangerous when combined with default credentials and outdated firmware.

Vulnerability Details

The flaw resides in the /userRpm/WlanNetworkRpm.htm endpoint, which processes Wi-Fi configuration parameters. Attackers can inject arbitrary system commands through the ssid1 field without proper sanitization, allowing full device takeover. Technical analysis shows vulnerable devices execute commands via execve("/bin/sh") calls:

The final execve function call triggering shell command execution
The final execve function call triggering shell command execution (Source: Unit42)

Affected models—TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10—are all end-of-life without security updates. Public proof-of-concept exploits demonstrate how ssid1 inputs pass directly into shell commands.

Mirai Botnet Campaign

Automated HTTP GET targeting /userRpm/WlanNetworkRpm.htm surged after CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog in June 2025. Malicious requests inject command chains via SSID fields to download an ELF binary (arm7) from IP 51.38.137[.]113:

Hard-coded IP address in the malware update_bins function
Hard-coded IP in the malware update_bins function (Source: Unit42)

The arm7 binary exhibits Mirai botnet characteristics, with references to the “condi” family seen in IoT botnets. Once executed, it connects to command-and-control servers, updates across architectures, and converts routers into DDDoS weapons.

Flawed Exploits, Real Danger

Despite widespread scanning, observed attacks contain critical flaws:

  • Wrong targeting: Many requests use ssid instead of vulnerable ssid1 field
  • Authentication bypass failure: Exploits use admin:admin headers without valid session tokens
  • Missing tools: Firmware lacks wget for downloads, blocking payload execution

However, firmware emulation confirms the vulnerability is exploitable with correct credentials. Default or weak passwords create high-risk infection vectors.

Mitigation Recommendations

Vendor Advice: TP-Link urges replacing devices with supported hardware and avoiding default credentials. CISA’s KEV guidance recommends:

  • Disable remote management in router settings
  • Segment IoT devices from critical networks
  • Enforce strong, unique admin passwords

Defender Actions: Block attacks via URL/DNS filtering, intrusion prevention, and Mirai-linked infrastructure monitoring. Replace vulnerable units promptly and investigate unusual outbound connections or login attempts.

Related Articles

Back to top button