Command Injection Vulnerability in TP-Link Routers
CVE-2023-33538
Key Information:
- Vendor
Tp-link
- Status
- Vendor
- CVE Published:
- 7 June 2023
Badges
What is CVE-2023-33538?
CVE-2023-33538 is a command injection vulnerability identified in specific models of TP-Link routers, namely the TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. These devices are widely used for home and small office networking, providing essential connectivity functions such as wireless networking and internet sharing. The vulnerability arises from the insecure handling of inputs in the component responsible for WLAN settings management, specifically the /userRpm/WlanNetworkRpm interface. Exploitation of this vulnerability could allow attackers to execute arbitrary commands on the router, leading to unauthorized access and control over the devices, which could disrupt network services and compromise connected systems.
Potential Impact of CVE-2023-33538
-
Unauthorized Access and Control: Attackers exploiting this vulnerability could gain full control over the affected routers, allowing them to modify configurations, eavesdrop on network traffic, and potentially pivot to other devices on the network.
-
Network Disruption: The ability to execute arbitrary commands may enable attackers to disrupt normal operations of the router, leading to loss of connectivity for users and devices reliant on the compromised equipment.
-
Propagation of Threats: A compromised router can serve as a launch point for further attacks, enabling the distribution of malware or facilitating unauthorized access to sensitive information within a local network, thereby increasing the broader risk of data breaches.
CISA has reported CVE-2023-33538
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-33538 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
News Articles
CISA (.gov)CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
CISA has added two new vulnerabilities to its KEV Catalog, based on evidence of active exploitation
2 days ago
The Hacker NewsCVE-2023-33538TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert
TP-Link and Zyxel router flaws are under active attack, affecting global users and federal systems. Urgent updates needed.
4 days ago
Unit 42CVE-2023-33538FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications. We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicat...
References
EPSS Score
89% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by Unit 42
Vulnerability published
Vulnerability Reserved