The US cybersecurity agency CISA on Monday warned that threat actors are exploiting a two-year-old vulnerability affecting multiple discontinued TP-Link router models.
Tracked as CVE-2023-33538 (CVSS score of 8.8), the bug is described as a command injection vulnerability in the /userRpm/WlanNetworkRpm component, and impacts the TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 router models.
The issue allows remote attackers to submit special requests, which allows them to execute arbitrary system commands on vulnerable devices.
Proof-of-concept (PoC) exploit code targeting the security defect was published on GitHub last month, but has since been removed.
According to TP-Link’s list (PDF) of discontinued products, support for the TL-WR841N and TL-WR740N routers was discontinued before 2018. The company stopped providing software updates for TL-WR940N last year.
On Monday, CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) list, urging users to cease utilization of the affected products, as they are no longer supported.
Additionally, the agency warned of the active exploitation of CVE-2025-43200, a vulnerability in the processing of maliciously crafted photos and videos shared via an iCloud link, which impacts multiple Apple products.
Apple addressed the security defect in February, with the release of iOS 18.3.1, iPadOS 18.3.1, and macOS Sequoia 15.3.1, as well as with updates for older platform iterations.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the company’s updated advisory reads.
Last week, Citizen Lab warned that the bug has been exploited to infect at least two journalists’ phones with Paragon’s ‘Graphite’ mobile hacking software.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until July 7 to remove vulnerable TP-Link routers from their environments and update their Apple devices to the latest software releases.
Related: Vulnerability Exploitation Possibly Behind Widespread DrayTek Router Reboots
Related: Mandiant Uncovers Custom Backdoors on End-of-Life Juniper Routers
Related: Apple Patches First Exploited iOS Zero-Day of 2025
Related: Four-Faith Industrial Router Vulnerability Exploited in Attacks
