Friday, February 7, 2025
HomeCyber Security NewsTP-Link WAN-Side Vulnerability Exploited to Install Mirai Malware

TP-Link WAN-Side Vulnerability Exploited to Install Mirai Malware

Published on

SIEM as a Service

Follow Us on Google News

Mirai botnet exploits CVE-2023-1389 to add TP-Link Archer A21 (AX1800) routers to DDoS attacks. During the Pwn2Own Toronto event in December 2022, two hacking teams exploited the vulnerability in different ways via:-

  • LAN interfaces
  • WAN interfaces

In January 2023, the flaw was unveiled to TP-Link, and just after the report, TP-Link released a new firmware update with the fix last month.

Mirai botnet has updated its toolkit to include CVE-2023-1389, as observed by the ZDI threat-hunting team detecting new exploit attempts in Eastern Europe via their telemetry system.

Flaw Profile

  • CVE ID: CVE-2023-1389 (ZDI-CAN-19557/ZDI-23-451)
  • Falw Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the merge_country_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code in the root context.
  • CVSS Score: 8.8
  • Affected Vendor: TP-Link
  • Affected Product: Archer AX21
  • Disclosure Timeline:-
  • 2023-01-25 – Vulnerability reported to the vendor
  • 2023-04-24 – Coordinated public release of advisory

This vulnerability is an unauthenticated command injection vulnerability, and it has been identified in the web management interface’s locale API.

Successful exploitation of this flaw enables users to specify the form they want to call via the query string form and an operation, which is typical:-

  • read

or

  • write

Cyber attackers can exploit the flaw by incorporating a command payload as part of the country parameter and subsequently initiating a second request to activate the command. 

Mirai Malware installation

On April 11, 2023, the initial indications of in-the-wild exploitation surfaced, and since then, malicious activity has been identified globally.

Mirai malware botnet now uses the vulnerability to compromise the devices, and then subsequently, it procures the device into its botnet by downloading the suitable binary payload for the router’s architecture.

The current version of Mirai concentrates on DDoS attacks, particularly on game servers. It can target Valve Source Engine (VSE) and possesses features that reflect this focus.

Malware Connection

This new malware version can replicate authentic network traffic, making it challenging for DDoS mitigation solutions to detect malicious traffic.

For identification or detection, here below, we have mentioned the common signs of an infected TP-Link router:-

  • Overheating
  • Internet disconnections
  • On the device’s network settings, uncertain changes
  • Unwanted resetting of admin user passwords

Patch

On February 24, 2023, TP-Link took steps to address the issue at hand. Unfortunately, the company’s solution was inadequate and failed to prevent further exploitation.

But, on March 14, 2023, the company released a firmware update with the patch to fix CVE-2023-1389, and here below, we have mentioned the updated version:-

  • 1.1.4 Build 20230219

If you are a user of the Archer AX21 AX1800 dual-band WiFi 6 router, then can download the latest firmware update from their official update page.

Building Your Malware Defense Strategy – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Former Google Engineer Charged for Allegedly Stealing AI Secrets for China

A federal grand jury has indicted Linwei Ding, also known as Leon Ding, a...

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...

Critical Flaws in HPE Aruba ClearPass Expose Systems to Arbitrary Code Execution

Hewlett Packard Enterprise (HPE) has issued a high-priority security bulletin addressing multiple vulnerabilities in...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Former Google Engineer Charged for Allegedly Stealing AI Secrets for China

A federal grand jury has indicted Linwei Ding, also known as Leon Ding, a...

Dell Update Manager Plugin Flaw Exposes Sensitive Data

Dell Technologies has issued a security advisory (DSA-2025-047) to address a vulnerability in the Dell Update...

DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app...