A Deep Dive Into Attempted Exploitation of CVE-2023-33538
Essential information
- Published
- 17/04/2026 08:35
- Modified
- 17/04/2026 10:47
- Tags
- 2026-04-17 CVE-2023-33538 command injection condi condi botnet firmware analysis iot exploitation mirai mirai botnet tp-link routers wifi routers
- Related entities
- 13 vulnerabilities (cve), 9 observables, 19 techniques (mitre), 2 malware, 2 others
Description
Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy Mirai-like botnet malware, specifically variants associated with the Condi IoT botnet. Through firmware emulation and reverse engineering, researchers confirmed the vulnerability exists but discovered that successful exploitation requires authentication. The in-the-wild attacks contained critical flaws: they targeted the wrong parameter (ssid instead of ssid1), lacked authentication, and relied on utilities not present in the router firmware. The command injection vulnerability in the WlanNetworkRpm endpoint allows remote attackers to execute arbitrary commands when authenticated. The malware establishes C2 communication and propagates across architectures. TP-Link confirmed affected devices are end-of-life with no patc...