The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority warning about a serious vulnerability affecting several TP-Link wireless routers. The flaw, tracked as CVE-2023-33538, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by attackers.
This vulnerability carries a CVSS severity score of 8.8, marking it as a high-risk issue. It is a command injection flaw that can allow remote attackers to execute malicious commands on the router without any user interaction. The vulnerability exists in the “ssid1” parameter of certain HTTP GET requests that are sent to a vulnerable router.
According to CISA, the affected TP-Link models include:
TL-WR940N (versions V2 and V4)
TL-WR841N (versions V8 and V10)
TL-WR740N (versions V1 and V2)
These models are targeted via a vulnerable component called /userRpm/WlanNetworkRpm. Attackers can use this path to inject commands that the router mistakenly executes.
This type of vulnerability can be used by cybercriminals to take full control of a device. Once they gain access, attackers can monitor traffic, launch further attacks on connected systems, or use the compromised router as part of a botnet.
CISA is especially concerned because the vulnerable routers may be end-of-life (EoL) or end-of-support (EoS), meaning TP-Link may no longer provide security patches for them. In such cases, there may be no official fix or update, putting users at continued risk.
If you are using one of the affected router models and there is no patch available, immediately stop using the device and replace it with a supported model that receives security updates.
Yes, CISA confirms that CVE-2023-33538 is actively being exploited in real-world attacks. Although exact details of the exploitation are not public, the inclusion in the KEV list means government agencies must fix the issue by July 7, 2025.
This move by CISA also serves as a strong warning to private organizations and individual users to act quickly.
In December 2024, cybersecurity researchers from Palo Alto Networks’ Unit 42 discovered malware called FrostyGoop (also known as BUSTLEBERM) targeting industrial control systems. One of the compromised systems was using a TP-Link WR740N router, which raised concerns.
While researchers could not confirm that CVE-2023-33538 was used in that particular attack, the link between TP-Link routers and malicious campaigns shows the real-world risks of unpatched hardware.
Alongside the TP-Link warning, security firm GreyNoise has reported new attack activity exploiting CVE-2023-28771, a critical flaw in Zyxel firewalls with a CVSS score of 9.8.
This flaw allows unauthenticated remote attackers to run commands on vulnerable Zyxel devices by sending specially crafted requests. The bug was patched in April 2023, but many devices remain unprotected.
GreyNoise reported that as of June 16, 2025, they observed a sudden spike in exploit attempts, with 244 unique IP addresses scanning the internet for devices vulnerable to CVE-2023-28771. Countries being targeted include the United States, United Kingdom, Spain, Germany, and India.
What’s more alarming is that many of these attacks show patterns linked to the Mirai botnet — a type of malware that takes over connected devices and uses them for large-scale distributed denial-of-service (DDoS) attacks.
For TP-Link Router Users:
Check your router model and version to see if it’s affected.
Visit TP-Link’s website or contact support for firmware updates.
If no fix is available, replace the router immediately with a modern, supported device.
Consider switching to routers that regularly receive security updates and patches.
For Zyxel Firewall Users:
Update your devices immediately with the latest firmware from Zyxel.
Enable security monitoring for any signs of unusual network activity.
Restrict remote access to firewall interfaces whenever possible.
Use firewall rules to block access from unknown IP addresses.
These recent alerts highlight the growing trend of router and firewall vulnerabilities being used as entry points for cyberattacks. As many households and organizations continue to use older, unsupported hardware, attackers are taking advantage of these gaps.
Whether you are an individual, small business, or part of a larger enterprise, it’s critical to:
Keep your networking hardware updated
Monitor for vulnerabilities
Act fast when a known exploit is reported
With attackers increasingly targeting routers to launch malware, botnets, and DDoS attacks, now is the time to take device security seriously.
Interesting Article : DevOps Alert, Grafana Exploit Exposes Over 46,000 Servers to Account Takeover
Pingback: CVE-2023-0386: Critical Linux Vulnerability Exploited in Wild