Hackers have been targeting a vulnerability in discontinued TP-Link routers for a year, so far failing to successfully exploit it, Palo Alto Networks reports.
Tracked as CVE-2023-33538 (CVSS score of 8.8), the flaw is described as an authenticated command injection issue rooted in the lack of sanitization of the ssid1 parameter in HTTP GET requests.
“An attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router,” Palo Alto Networks explains.
The weakness impacts TP-Link’s TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10 router models, the cybersecurity firm says.
Proof-of-concept (PoC) exploit code targeting the CVE has been publicly available for almost three years.
In June last year, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, warning that it affects end-of-life (EoL) and end-of-service (EoS) products, and urging federal agencies to discontinue the use of these devices immediately.
Now, Palo Alto Networks says the activity surrounding CVE-2023-33538’s exploitation that it has been tracking since June last year has involved Mirai-based payloads similar to the Condi IoT botnet binaries.
The payload was designed to turn the infected devices into HTTP servers that would deliver malware binaries to requesting clients (other infected devices).
Palo Alto Networks’ dive into the exploitation attempts has confirmed the existence of the underlying vulnerability, while uncovering errors in the exploit code that prevented attackers from successfully exploiting the CVE.
Hackers, it says, attempted to exploit the bug without authentication, targeted the wrong parameter, and relied on a utility not present in the vulnerable devices’ BusyBox environment.
“This demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks,” the cybersecurity firm says.
Successful exploitation of the command injection issue, Palo Alto Networks explains, could lead to denial-of-service (DoS) conditions or could allow attackers to achieve persistent access to the vulnerable devices.
Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild
Related: Cursor AI Vulnerability Exposed Developer Devices
Related: 53 DDoS Domains Taken Down by Law Enforcement
Related: 100 Chrome Extensions Steal User Data, Create Backdoor
