cbcvebase.
CVE-2023-1389
published 2023-03-15

CVE-2023-1389: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the…

PriorityP191high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-05-22
Exploited in the wild
EPSS
100.00%
100.0th percentile
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Affected

1 ranges
VendorProductVersion rangeFixed in
tp-linkarcher_ax21_firmware< 1.1.41.1.4

Detection & IOCsextracted from sources · hover to see the quote

hash888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8
hashb43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c
hashb45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3
hash366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6
hash413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2
hash2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599
hash4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0
hash461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d
hashaed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777
hash0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915
hasheca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19
hash3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d
hashaaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089
hash4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b
urlhttp://185.225.74.251/armv4l
urlhttp://185.225.74.251/armv5l
urlhttp://185.225.74.251/armv6l
urlhttp://185.225.74.251/armv7l
urlhttp://185.225.74.251/mips
urlhttp://185.225.74.251/mipsel
urlhttp://185.225.74.251/sh4
urlhttp://185.225.74.251/x86_64
urlhttp://185.225.74.251/i686
urlhttp://185.225.74.251/i586
urlhttp://185.225.74.251/arc
urlhttp://185.225.74.251/m68k
urlhttp://185.225.74.251/sparc
domainzvub.us
ip185.225.74.251
  • The vulnerability is an unauthenticated command injection in the locale API's 'country' form write operation on the TP-Link Archer AX21 web management interface. Monitor for HTTP POST/write requests to the locale API endpoint targeting the 'country' field with shell metacharacters.
  • Mirai payloads for CVE-2023-1389 use XOR keys 0x00 and 0x22 to encrypt strings. Scanning for these XOR-encoded Mirai binaries can aid in payload identification.
  • Mirai bots exploiting CVE-2023-1389 use specific User-Agent strings and server headers including 'cloudflare-nginx' and 'dosarrest' to blend DDoS traffic with legitimate traffic. Alert on these headers in outbound traffic from router/IoT devices.
  • CVE-2023-1389 exploitation activity was first observed on April 11, 2023, initially targeting devices in Eastern Europe. Correlate telemetry for TP-Link Archer AX21 exploitation attempts originating from Eastern European IPs around that timeframe.
  • CVE-2023-1389 was the 3rd most exploited CVE by volume in March 2025 with 4,698 attempts recorded. Prioritize detection rules for this CVE given its continued active exploitation.
  • A Mirai-based botnet campaign abused CVE-2023-1389 on TP-Link Archer AX21 routers targeting Brazilian internet providers, using open DNS servers for high-volume amplification attacks. Monitor for anomalous DNS amplification traffic from compromised TP-Link devices.
  • ·The Mirai botnet payloads are downloaded and executed using a brute-force methodology to find the appropriate payload for the target system architecture, meaning multiple architecture-specific binaries are tried sequentially. Detection should account for multiple sequential download attempts from the same C2 IP across different architecture paths.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.