A High-Severity Flaw That Attackers Can't Quite Crack
For more than a year, malicious actors have been probing a known vulnerability in a range of discontinued TP-Link routers — yet despite persistent effort, they have so far failed to successfully exploit it. That is the finding from Palo Alto Networks, which has been tracking exploitation attempts related to CVE-2023-33538 since June of last year.
The vulnerability carries a CVSS score of 8.8 and is classified as an authenticated command injection flaw. At its core, the issue stems from a lack of proper input sanitization applied to the ssid1 parameter within HTTP GET requests. As Palo Alto Networks describes it:
"An attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router."
Affected Devices Are All End-of-Life Products
The vulnerability affects several TP-Link router models that the company no longer supports. Specifically, the impacted hardware includes:
- TL-WR940N v2 and v4
- TL-WR740N v1 and v2
- TL-WR841N v8 and v10
Because these are end-of-life (EoL) and end-of-service (EoS) products, there is no expectation of an official patch from TP-Link. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) catalog in June last year, explicitly warning federal agencies to stop using these devices immediately given the absence of vendor support.
Making matters more concerning, proof-of-concept (PoC) exploit code targeting this vulnerability has been publicly available for nearly three years, giving threat actors ample time to study and weaponize it.
Mirai-Based Payloads and Botnet Tactics
Despite the long availability of exploit code, the actual attack campaigns Palo Alto Networks has observed have relied on payloads bearing a strong resemblance to binaries associated with the Condi IoT botnet, a Mirai-based malware family. The design of the payload was straightforward in intent: infect a vulnerable device and convert it into an HTTP server capable of distributing additional malware binaries to other requesting clients — essentially other already-compromised devices seeking to propagate the infection further.
This approach is characteristic of the broader Mirai ecosystem, where infected routers and IoT devices are recruited into botnets and used to carry out distributed denial-of-service (DDoS) attacks or serve as staging infrastructure for further malicious activity.
Why the Exploitation Keeps Failing
Palo Alto Networks' analysis of these ongoing attempts confirmed that the underlying vulnerability in CVE-2023-33538 is real. However, the researchers also identified a series of critical mistakes within the attackers' exploit code that have consistently prevented successful exploitation. The firm identified three key errors:
- Authentication bypass attempts: Hackers tried to exploit the vulnerability without authentication, despite the fact that it is classified as an authenticated flaw — meaning valid credentials are required to trigger it.
- Wrong parameter targeted: The exploit code was directed at an incorrect parameter, meaning the injection attempt would never reach the vulnerable component of the router.
- Missing utility dependency: The attackers' code relied on a utility that simply does not exist within the BusyBox environment present on the affected devices, causing the exploit to fail at execution.
Palo Alto Networks summarized the pattern bluntly:
"This demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks."
What Successful Exploitation Would Actually Mean
Despite the attackers' current failure rate, the risk posed by CVE-2023-33538 should not be dismissed entirely. Palo Alto Networks notes that a successful exploitation of the command injection flaw could result in two significant outcomes: it could cause denial-of-service (DoS) conditions that render the router inoperable, or it could enable attackers to gain persistent access to the compromised device — a particularly dangerous outcome given that EoL routers cannot receive security patches to remove such a foothold.
The Broader Lesson: End-of-Life Devices Remain a Liability
This case highlights a persistent and growing problem in both enterprise and home networking environments: the continued reliance on hardware that manufacturers no longer support. Even when attackers are currently failing, the combination of a publicly documented flaw, freely available PoC code, and devices that will never receive a patch creates an enduring attack surface.
CISA's directive to federal agencies to immediately discontinue use of the affected TP-Link models reflects the seriousness of the situation. For organizations and individuals still running TL-WR940N, TL-WR740N, or TL-WR841N routers, the guidance is unambiguous: these devices should be replaced with supported hardware as soon as possible, regardless of whether current exploitation attempts are succeeding.
The activity Palo Alto Networks has tracked since June last year serves as a reminder that threat actors do not give up on a target simply because early attempts fail. Exploit code can be refined, errors corrected, and attack techniques improved over time — and with no patch forthcoming for these devices, the window of vulnerability remains permanently open.
Source: SecurityWeek