In a year-long campaign, hackers have targeted a critical flaw in discontinued TP-Link routers but have yet to exploit it successfully, according to Palo Alto Networks. The vulnerability, identified as CVE-2023-33538, holds a high CVSS score of 8.8, indicating significant potential risk.
Details of the TP-Link Vulnerability
The flaw, a command injection issue, arises from inadequate sanitization of the ssid1 parameter in HTTP GET requests. An attacker could potentially execute arbitrary system commands on the affected Wi-Fi routers by exploiting this weakness. The impacted models include TP-Link’s TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10.
Despite the availability of proof-of-concept exploit code for nearly three years, hackers have been unable to leverage it effectively. The U.S. cybersecurity agency CISA added this bug to its Known Exploited Vulnerabilities (KEV) catalog in June last year, urging the discontinuation of these devices.
Hacker Attempts and Failures
Since tracking began in June last year, Palo Alto Networks has observed exploitation activities centered on CVE-2023-33538 involving Mirai-based payloads, akin to the Condi IoT botnet binaries. These payloads aimed to transform infected routers into HTTP servers to distribute malware to other compromised devices.
However, the cybersecurity firm identified errors in the exploit code, preventing successful exploitation. Hackers attempted unauthorized access, targeted incorrect parameters, and used a utility absent in the devices’ BusyBox environment, leading to ineffective attacks.
Potential Impact and Future Implications
While unsuccessful so far, a successful exploitation of the vulnerability could lead to denial-of-service conditions or allow persistent unauthorized access to affected devices. This situation underscores the importance of addressing vulnerabilities in outdated hardware.
Ongoing monitoring and mitigation efforts are crucial as cyber threats continue to evolve. Organizations are advised to replace end-of-life and end-of-service products to minimize security risks.
Related coverage includes recent vulnerabilities in Apache ActiveMQ and Cursor AI, along with cybersecurity actions like the takedown of 53 DDoS domains and the exposure of Chrome extensions stealing user data.
