Tuesday, June 25, 2024

TP-Link WAN-Side Vulnerability Exploited to Install Mirai Malware

Mirai botnet exploits CVE-2023-1389 to add TP-Link Archer A21 (AX1800) routers to DDoS attacks. During the Pwn2Own Toronto event in December 2022, two hacking teams exploited the vulnerability in different ways via:-

  • LAN interfaces
  • WAN interfaces

In January 2023, the flaw was unveiled to TP-Link, and just after the report, TP-Link released a new firmware update with the fix last month.

Mirai botnet has updated its toolkit to include CVE-2023-1389, as observed by the ZDI threat-hunting team detecting new exploit attempts in Eastern Europe via their telemetry system.

Flaw Profile

  • CVE ID: CVE-2023-1389 (ZDI-CAN-19557/ZDI-23-451)
  • Falw Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Archer AX21 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the merge_country_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code in the root context.
  • CVSS Score: 8.8
  • Affected Vendor: TP-Link
  • Affected Product: Archer AX21
  • Disclosure Timeline:-
  • 2023-01-25 – Vulnerability reported to the vendor
  • 2023-04-24 – Coordinated public release of advisory

This vulnerability is an unauthenticated command injection vulnerability, and it has been identified in the web management interface’s locale API.

Successful exploitation of this flaw enables users to specify the form they want to call via the query string form and an operation, which is typical:-

  • read


  • write

Cyber attackers can exploit the flaw by incorporating a command payload as part of the country parameter and subsequently initiating a second request to activate the command. 

Mirai Malware installation

On April 11, 2023, the initial indications of in-the-wild exploitation surfaced, and since then, malicious activity has been identified globally.

Mirai malware botnet now uses the vulnerability to compromise the devices, and then subsequently, it procures the device into its botnet by downloading the suitable binary payload for the router’s architecture.

The current version of Mirai concentrates on DDoS attacks, particularly on game servers. It can target Valve Source Engine (VSE) and possesses features that reflect this focus.

Malware Connection

This new malware version can replicate authentic network traffic, making it challenging for DDoS mitigation solutions to detect malicious traffic.

For identification or detection, here below, we have mentioned the common signs of an infected TP-Link router:-

  • Overheating
  • Internet disconnections
  • On the device’s network settings, uncertain changes
  • Unwanted resetting of admin user passwords


On February 24, 2023, TP-Link took steps to address the issue at hand. Unfortunately, the company’s solution was inadequate and failed to prevent further exploitation.

But, on March 14, 2023, the company released a firmware update with the patch to fix CVE-2023-1389, and here below, we have mentioned the updated version:-

  • 1.1.4 Build 20230219

If you are a user of the Archer AX21 AX1800 dual-band WiFi 6 router, then can download the latest firmware update from their official update page.

Building Your Malware Defense Strategy – Download Free E-Book


Latest articles

Beware Of Shorten URLs With Word Files That Install Remcos RAT

A new method of distributing the Remcos Remote Access Trojan (RAT) has been identified.This...

Top 10 Best Penetration Testing Companies & Services in 2024

Penetration Testing Companies are pillars of information security; nothing is more important than ensuring...

Hackers Use Windows XSS Flaw To Execute Arbitrary Command In MMC Console

Attackers are leveraging a new infection technique called GrimResource that exploits MSC files.By...

New Webkit Vulnerabilities Let Attackers Exploit PS4 And PS5 Playstations

Webkit vulnerabilities in PS4 and PS5 refer to bugs found in the Webkit engine...

Hackers Exploit Multiple WordPress Plugins to Hack Websites & Create Rogue Admin Accounts

Wordfence Threat Intelligence team identified a significant security breach involving multiple WordPress plugins. The initial...

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles