Hackers Exploit TP-Link Router Vulnerabilities to Deploy Mirai-Based Botnet
Cybersecurity researchers have identified active exploitation of a critical vulnerability, designated as CVE-2023-33538, in several end-of-life TP-Link Wi-Fi routers. Attackers are leveraging this flaw to install Mirai-based botnet malware on susceptible devices, posing significant security risks to users.
Affected Devices and Vulnerability Details
The vulnerability impacts multiple TP-Link router models that no longer receive official updates, including:
– TL-WR940N (versions 2 and 4)
– TL-WR740N (versions 1 and 2)
– TL-WR841N (versions 8 and 10)
These devices exhibit a common weakness in their web management interfaces. Specifically, the ‘ssid’ parameter within HTTP GET requests to the ‘/userRpm/WlanNetworkRpm’ endpoint lacks proper input validation. This oversight allows attackers to inject and execute arbitrary commands on the routers without triggering alerts.
Exploitation Methodology
Attackers initiate the exploitation by sending crafted HTTP GET requests containing malicious commands embedded in the ‘ssid’ parameter. Upon processing these requests, the vulnerable routers download an ELF binary named ‘arm7’ from a remote server (IP address 51.38.137[.]113), grant it execution permissions, and execute it immediately.
The ‘arm7’ binary is identified as a variant of the Condi IoT botnet malware, which is based on the notorious Mirai botnet. Once executed, the malware connects to a command-and-control (C2) server, integrating the compromised device into a larger botnet network.
Malware Behavior and Propagation
After infection, the ‘arm7’ binary performs several actions to maintain its presence and facilitate further spread:
– C2 Communication: The malware establishes a connection with the C2 server at ‘cnc.vietdediserver[.]shop’, awaiting commands and sending periodic heartbeat signals.
– Self-Update Mechanism: Utilizing the ‘update_bins()’ function, the malware downloads updated versions of itself for various CPU architectures, including arm6, mips, sh4, and x86_64, from the hardcoded IP address 51.38.137[.]113.
– HTTP Server Deployment: The malware initiates an HTTP server on a randomly selected port between 1024 and 65535. This server distributes the malware to other devices, enabling autonomous propagation without further attacker intervention.
Detection and Mitigation
The exploitation of CVE-2023-33538 was first observed in May 2025, following its inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025. Researchers from Unit 42 and Palo Alto Networks detected widespread, automated exploitation attempts targeting the vulnerable endpoint across numerous devices.
Given that the affected TP-Link router models are end-of-life and no longer receive security updates, users are strongly advised to:
– Replace Outdated Hardware: Upgrade to newer router models that receive regular security patches and support.
– Disable Remote Management: If upgrading is not immediately feasible, disable remote management features to reduce exposure to external threats.
– Regular Firmware Updates: Ensure that all network devices are running the latest firmware versions to mitigate known vulnerabilities.
Broader Implications
This incident underscores the critical importance of maintaining up-to-date hardware and software in network infrastructure. Outdated devices lacking vendor support become prime targets for cybercriminals seeking to exploit known vulnerabilities. The integration of compromised routers into botnets can lead to widespread distributed denial-of-service (DDoS) attacks, data breaches, and other malicious activities.
Users and organizations must prioritize cybersecurity hygiene by regularly updating devices, replacing obsolete hardware, and implementing robust security configurations to safeguard against evolving threats.
