Saturday, March 2, 2024

TP-Link WAN-Side Vulnerability Exploited to Install Mirai Malware

Mirai botnet exploits CVE-2023-1389 to add TP-Link Archer A21 (AX1800) routers to DDoS attacks. During the Pwn2Own Toronto event in December 2022, two hacking teams exploited the vulnerability in different ways via:-

  • LAN interfaces
  • WAN interfaces

In January 2023, the flaw was unveiled to TP-Link, and just after the report, TP-Link released a new firmware update with the fix last month.

Mirai botnet has updated its toolkit to include CVE-2023-1389, as observed by the ZDI threat-hunting team detecting new exploit attempts in Eastern Europe via their telemetry system.

Flaw Profile

  • CVE ID: CVE-2023-1389 (ZDI-CAN-19557/ZDI-23-451)
  • Falw Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the merge_country_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code in the root context.
  • CVSS Score: 8.8
  • Affected Vendor: TP-Link
  • Affected Product: Archer AX21
  • Disclosure Timeline:-
  • 2023-01-25 – Vulnerability reported to the vendor
  • 2023-04-24 – Coordinated public release of advisory

This vulnerability is an unauthenticated command injection vulnerability, and it has been identified in the web management interface’s locale API.

Successful exploitation of this flaw enables users to specify the form they want to call via the query string form and an operation, which is typical:-

  • read


  • write

Cyber attackers can exploit the flaw by incorporating a command payload as part of the country parameter and subsequently initiating a second request to activate the command. 

Mirai Malware installation

On April 11, 2023, the initial indications of in-the-wild exploitation surfaced, and since then, malicious activity has been identified globally.

Mirai malware botnet now uses the vulnerability to compromise the devices, and then subsequently, it procures the device into its botnet by downloading the suitable binary payload for the router’s architecture.

The current version of Mirai concentrates on DDoS attacks, particularly on game servers. It can target Valve Source Engine (VSE) and possesses features that reflect this focus.

Malware Connection

This new malware version can replicate authentic network traffic, making it challenging for DDoS mitigation solutions to detect malicious traffic.

For identification or detection, here below, we have mentioned the common signs of an infected TP-Link router:-

  • Overheating
  • Internet disconnections
  • On the device’s network settings, uncertain changes
  • Unwanted resetting of admin user passwords


On February 24, 2023, TP-Link took steps to address the issue at hand. Unfortunately, the company’s solution was inadequate and failed to prevent further exploitation.

But, on March 14, 2023, the company released a firmware update with the patch to fix CVE-2023-1389, and here below, we have mentioned the updated version:-

  • 1.1.4 Build 20230219

If you are a user of the Archer AX21 AX1800 dual-band WiFi 6 router, then can download the latest firmware update from their official update page.

Building Your Malware Defense Strategy – Download Free E-Book


Latest articles

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles