216.73.217.22

A Deep Dive Into Attempted Exploitation of CVE-2023-33538

· Published 17/04/2026 08:35 · Modified 17/04/2026 10:47

Export JSON

Essential information

Published
17/04/2026 08:35
Modified
17/04/2026 10:47
Tags
2026-04-17 CVE-2023-33538 command injection condi condi botnet firmware analysis iot exploitation mirai mirai botnet tp-link routers wifi routers
Related entities
13 vulnerabilities (cve), 9 observables, 19 techniques (mitre), 2 malware, 2 others

Description

Active exploitation attempts targeting in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy -like botnet malware, specifically variants associated with the IoT botnet. Through firmware emulation and reverse engineering, researchers confirmed the vulnerability exists but discovered that successful exploitation requires authentication. The in-the-wild attacks contained critical flaws: they targeted the wrong parameter (ssid instead of ssid1), lacked authentication, and relied on utilities not present in the router firmware. The vulnerability in the WlanNetworkRpm endpoint allows remote attackers to execute arbitrary commands when authenticated. The malware establishes C2 communication and propagates across architectures. TP-Link confirmed affected devices are end-of-life with no patc...

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (13)

CVE-2026-22584
9.8 Critical

Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …

Attack vector
NETWORK
EPSS
0.0003 (P7.6%)
Published
09/01/2026
Modified
17/04/2026
Received
CVE-2026-1281 KEV
9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector
NETWORK
Published
29/01/2026
Modified
27/03/2026
Analyzed
CVE-2023-33538 KEV
8.8 High

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …

Attack vector
Network
Published
16/06/2025
Modified
21/12/2025
CVE-2025-0921
6.5 Medium

Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …

Attack vector
Local
Complexity
LOW
Published
16/05/2025
Modified
17/04/2026
CVE-2026-1340 KEV
9.8 Critical

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.

Attack vector
NETWORK
Complexity
LOW
Published
29/01/2026
Modified
10/04/2026
CVE-2025-59287 KEV
9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector
Network
Published
24/10/2025
Modified
21/12/2025
Undergoing Analysis
CVE-2025-23304
7.8 High

NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …

Attack vector
LOCAL
Published
13/08/2025
Modified
17/04/2026
Awaiting Analysis
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2025-66478

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published
20/12/2025
Modified
21/12/2025
Rejected
CVE-2025-14847 KEV
8.7 High

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue …

Attack vector
NETWORK
Published
19/12/2025
Modified
26/01/2026
Awaiting Analysis
CVE-2024-3400 KEV
10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector
Network
Published
12/04/2024
Modified
21/12/2025
CVE-2026-1731 KEV
9.9 Critical

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …

Attack vector
Network
Published
13/02/2026
Modified
20/02/2026
Received

Observables (9)

  • 3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7
  • 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6
  • 919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4
  • 9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402
  • 4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da
  • 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b
  • c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26
  • 00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620
  • 7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20

Techniques (MITRE) (19)

  • T1078
    Valid Accounts
  • T1489
    Service Stop
  • T1573
    Encrypted Channel
  • T1071.001
    Web Protocols
  • T1486
    Data Encrypted for Impact
  • T1018
    Remote System Discovery
  • T1543
    Create or Modify System Process
  • T1190
    Exploit Public-Facing Application
  • T1105
    Ingress Tool Transfer
  • T1059.004
    Unix Shell
  • T1098
    Account Manipulation
  • T1046
    Network Service Discovery
  • T1059
    Command and Scripting Interpreter
  • T1133
    External Remote Services
  • T1071
    Application Layer Protocol
  • T1542.004
    ROMMONkit
  • T1203
    Exploitation for Client Execution
  • T1082
    System Information Discovery
  • T1049
    System Network Connections Discovery

Malware (2)

  • Mirai
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • Condi
    Family
    Published 17/04/2026 08:35 · Modified 17/04/2026 08:35

Others (2)

  • bot.ddosvps.cc
  • cnc.vietdediserver.shop

External references