Full Report
CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware. The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42.
Analysis Summary
# Vulnerability: Command Injection in TP-Link Wireless Routers
## CVE Details
- **CVE ID:** CVE-2023-33538
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in a Command)
## Affected Systems
- **Products:** TP-Link Wireless Routers
- **Versions:**
- Archer AX10 (specifically V1.20)
- AX1500
- Potentially other models sharing the same firmware base.
- **Configurations:** Systems running firmware versions prior to the June 2023 security updates.
## Vulnerability Description
CVE-2023-33538 is a critical command injection vulnerability located in the web management interface of the router. The flaw exists due to insufficient sanitization of user-supplied input before it is passed to a system shell for execution. Specifically, an unauthenticated attacker can send specially crafted HTTP requests containing shell metacharacters (such as backticks or semicolons) to trigger arbitrary command execution with root privileges on the underlying operating system.
## Exploitation
- **Status:** **Exploited in the wild.** Unit 42 has observed active exploitation attempts by botnets (notably Mirai variants).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to router logs, configuration, and traffic)
- **Integrity:** High (Attackers can modify firmware, DNS settings, or install malware)
- **Availability:** High (Devices can be bricked or recruited into DDoS botnets)
## Remediation
### Patches
- Users should update to the latest firmware version provided by TP-Link for their specific model.
- **Archer AX10 V1.20** users should ensure they are running firmware versions released after June 2023.
### Workarounds
- Disable "Remote Management" features to ensure the web interface is not accessible from the Wide Area Network (WAN).
- Change default administrative credentials.
- Use a robust firewall to restrict access to the router’s management port (typically TCP 80/443).
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of suspicious files in `/tmp/` (e.g., scripts named `sh`, `mira`, or randomized alphanumeric strings).
- Outbound traffic on ports typically used for C2 communication by Mirai (e.g., 23, 2323, 48101).
- Unexplained device reboots or significant performance degradation.
- **Detection Methods:**
- Monitor for HTTP POST requests to management endpoints containing shell characters like `|`, `&`, or `` ` ``.
- Utilize IPS/IDS signatures designed to detect Mirai-style payloads and common command injection patterns.
## References
- **Vendor Advisory:** hxxps[://]www[.]tp-link[.]com/us/support/download/archer-ax10/v1.20/#Firmware
- **Analysis:** hxxps[://]unit42[.]paloaltonetworks[.]com/cve-2023-33538-tp-link-exploitation/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2023-33538