A high-severity security vulnerability in TP-Link routers, tracked as CVE-2023-33538, has been added to the CISA Known Exploited Vulnerabilities catalog following reports of active exploitation. This vulnerability, with a CVSS score of 8.8, enables attackers to execute arbitrary system commands on affected devices, particularly on models like TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2.
Details of the Vulnerability
The flaw exists within the /userRpm/WlanNetworkRpm component, which processes the ssid1 parameter in specially crafted HTTP GET requests. Attackers exploiting this command injection vulnerability can manipulate the routers, potentially gaining unauthorized access, modifying system configurations, and disrupting services.
Security Risks and Potential Exploits
Exploiting this flaw allows attackers to gain administrative control over vulnerable routers, leading to a wide range of malicious activities, including botnet attacks and data exfiltration. The widespread use of TP-Link routers in home and small-business environments significantly amplifies the potential impact of this vulnerability, especially as attackers could use compromised routers to launch additional attacks or access sensitive information.
Impact on End-of-Life Devices
CISA has warned that many of the affected TP-Link products may be end-of-life (EoL) or end-of-service (EoS), meaning they no longer receive official support or security updates. This significantly increases the risk of exploitation for these devices, as they may not be patched or secured. Users are urged to either disconnect vulnerable devices from their networks or apply mitigations if still supported.
Link to Prior Threat Activity
Though specific exploit details remain sparse, Palo Alto Networks’ Unit 42 previously identified a connection between the vulnerable TP-Link routers and the FrostyGoop malware (aka BUSTLEBERM), which was used in an OT-centric attack. This malware was reportedly used to access control devices via the affected TP-Link router. While no conclusive evidence links this malware to CVE-2023-33538, the potential risk remains high.
CISA’s Mandate and Recommended Actions
CISA has mandated remediation by July 7, 2025 for federal agencies and strongly recommends that all organizations, especially those in critical sectors, apply available patches or disconnect affected devices from their networks immediately. Given the high risk of exploitation, prompt action is necessary to prevent unauthorized access and protect sensitive infrastructure from compromise.
New Exploitation Attempts Targeting Zyxel Firewalls (CVE-2023-28771)
In addition to the TP-Link flaw, GreyNoise reports ongoing exploit attempts targeting CVE-2023-28771, a critical vulnerability in Zyxel firewalls (CVSS: 9.8). The vulnerability, an OS command injection flaw, allows unauthenticated attackers to execute commands on vulnerable devices. This critical bug has been linked to an uptick in DDoS botnet creation, particularly using Mirai botnet variants. Although Zyxel released a patch in April 2023, GreyNoise has observed increased exploitation activity as recently as June 16, 2025.
The attacks, which have targeted 244 unique IP addresses across the United States, United Kingdom, Spain, Germany, and India, are part of a large-scale effort to exploit the flaw in order to add devices to botnets for launching distributed denial-of-service (DDoS) attacks. The exploitation of this vulnerability involves sending crafted requests to vulnerable devices, allowing attackers to gain control and use the devices for further malicious actions. It is likely that the attackers are building large-scale botnets to conduct high-volume DDoS attacks on targeted websites or infrastructure.
The Mirai botnet is notorious for its ability to rapidly escalate attacks, and its connection to CVE-2023-28771 could make these efforts even more potent. The fact that 244 unique IP addresses have been used for such attacks within a short timeframe is indicative of the significant threat posed by this vulnerability, underscoring the need for immediate mitigation.
In response to these ongoing threats, users of Zyxel devices are strongly encouraged to update to the latest firmware, which patches CVE-2023-28771, and to monitor for any anomalous activity that might indicate a compromise. Furthermore, users are advised to limit exposure of vulnerable devices and employ network-level defenses, such as firewalls and intrusion detection systems, to reduce the risk of attack. Organizations should also consider implementing two-factor authentication (2FA) and segmenting networks to prevent lateral movement in the event of a breach.
Cybersecurity experts continue to warn of the dangers of exposed devices and the rapid evolution of botnet threats. With botnet attacks increasing in scale and sophistication, these types of vulnerabilities pose a grave risk to businesses, individuals, and government networks alike.
By applying the recommended patches and ensuring their devices are secured, organizations can mitigate the risk of exploitation and help protect their infrastructure from becoming part of a larger malicious network.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
