The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting several TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.
The flaw, tracked as CVE-2023-33538, is a command injection vulnerability that allows attackers to execute arbitrary system commands via a crafted HTTP GET request. The affected models include TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2.
“TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization,” CISA noted.
In parallel, the threat intelligence firm GreyNoise reported renewed exploit attempts against CVE-2023-28771, a command injection flaw in Zyxel firewalls. The vulnerability, patched in April 2023, allows unauthenticated attackers to execute commands remotely.
On June 16, GreyNoise observed a sharp spike in exploitation attempts for the Zyxel flaw, with 244 unique IP addresses involved. Targeted regions included the United States, United Kingdom, Spain, Germany, and India.
Deeper analysis revealed indicators of Mirai botnet variants, a notorious malware family often used in large-scale distributed denial-of-service (DDoS) attacks.
