Jun 17, 2025Ravie LakshmananNetwork Safety / IoT Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a high-severity safety flaw in TP-Hyperlink wi-fi routers to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability in query is CVE-2023-33538 (CVSS rating: 8.8), a command injection bug that would consequence within the execution of arbitrary system instructions when processing the ssid1 parameter in a specifically crafted HTTP GET request.
“TP-Hyperlink TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 comprise a command injection vulnerability by way of the part /userRpm/WlanNetworkRpm,” the company mentioned.
CISA has additionally warned that there’s a chance that affected merchandise may very well be end-of-life (EoL) and/or end-of-service (EoS), urging customers to discontinue their use if no mitigations can be found.
There may be at present no public details about how the shortcoming could also be exploited within the wild.
In December 2024, Palo Alto Networks Unit 42 revealed that it had recognized further samples of an operational expertise (OT)-centric malware known as FrostyGoop (aka BUSTLEBERM) and that one of many IP addresses equivalent to an ENCO management gadget additionally acted as a router net server utilizing TP-Hyperlink WR740N to entry the ENCO gadget from an online browser.
Nonetheless, it additional identified that “there isn’t any exhausting proof to point that the attackers exploited [CVE-2023-33538] within the July 2024 FrostyGoop assault.”
The Hacker Information has reached out to TP-Hyperlink for additional particulars, and we’ll replace the story if we hear again. In mild of energetic exploitation, federal companies are required to remediate the flaw by July 7, 2025.
New Exercise Targets CVE-2023-28771
The disclosure comes as GreyNoise has warned of exploit makes an attempt concentrating on a crucial safety flaw impacting Zyxel firewalls (CVE-2023-28771, CVSS rating: 9.8).
CVE-2023-28771 refers to a different working system command injection vulnerability that would allow an unauthenticated attacker to execute instructions by sending crafted requests to a vulnerable gadget. It was patched by Zyxel in April 2023.
Whereas the vulnerability was weaponized to construct distributed denial-of-service (DDoS) botnets equivalent to Mirai shortly after public disclosure, the risk intelligence agency mentioned it noticed heightened makes an attempt to take advantage of it as just lately as June 16, 2025.
As many as 244 distinctive IP addresses are mentioned to have participated within the efforts over a brief timespan, with the exercise concentrating on the USA, United Kingdom, Spain, Germany, and India.
“Historic evaluation signifies that within the two weeks previous June 16, these IPs weren’t noticed partaking in some other scanning or exploit conduct — solely concentrating on CVE-2023-28771,” GreyNoise mentioned, including it recognized “indicators in line with Mirai botnet variants.”
To mitigate the risk, customers are beneficial to replace their Zyxel gadgets to the most recent model, monitor for any anomalous exercise, and restrict publicity the place relevant.
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.
