Critical Command Injection in TP‑Link Routers (CVE‑2023‑33538) Under Active Attack but No Confirmed Exploits
What It Is – CVE‑2023‑33538 is a command‑injection flaw in the /userRpm/WlanNetworkRpm component of several legacy TP‑Link Wi‑Fi routers (WR940N v2/v4, WR740N v1/v2, WR841N v8/v10). The vulnerability (CVSS 8.8) allows an unauthenticated attacker to inject arbitrary OS commands via the ssid1 HTTP parameter.
Exploitability – Proof‑of‑concept exploits have been publicly released and telemetry from Palo Alto Networks shows large‑scale exploitation attempts since the vulnerability entered the CISA KEV catalog (June 2025). Despite repeated attempts, no successful compromise of the devices has been verified to date.
Affected Products – TP‑Link router models: TL‑WR940N v2/v4, TL‑WR740N v1/v2, TL‑WR841N v8/v10 (all end‑of‑life firmware).
TPRM Impact –
- Legacy routers are often deployed in corporate branch offices, retail sites, and IoT edge nodes, creating a potential supply‑chain foothold.
- Successful exploitation could enlist devices into Mirai‑style botnets, enabling DDoS attacks or lateral movement toward critical business systems.
Recommended Actions –
- Verify firmware version on all TP‑Link routers; apply the latest security patches or replace devices with supported models.
- Immediately disable default credentials (
admin:admin) and enforce strong, unique passwords. - Segment IoT/branch‑office networks from core corporate assets; enforce strict firewall rules on the
/userRpm/WlanNetworkRpmendpoint. - Deploy IDS/IPS signatures that detect the characteristic GET requests and the
arm7ELF payload. - Conduct an inventory audit to ensure no unsupported TP‑Link hardware remains in the environment.
Source: Security Affairs – CVE‑2023‑33538 under attack for a year, but exploitation still unsuccessful