cbcvebase.
CVE-2023-33538
published 2023-06-07

CVE-2023-33538: TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component…

PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-07-07
Exploited in the wild
EPSS
41.87%
98.5th percentile
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .

Detection & IOCsextracted from sources · hover to see the quote

path/userRpm/WlanNetworkRpm
  • Exploitation of CVE-2023-33538 attempts to deploy a Mirai-like botnet malware; monitor for post-exploitation Mirai-variant payloads on affected TP-Link router models.
  • The Condi-referenced botnet malware includes self-update capability and acts as a web server to spread infection to other devices that connect to it; monitor for unexpected HTTP server activity on compromised routers.
  • Unit 42 detected active, automated scans and probes attempting to exploit CVE-2023-33538; monitor network traffic for automated scanning activity targeting /userRpm/WlanNetworkRpm on TP-Link devices.
  • ·CVE-2023-33538 exploitation requires authentication to the router's web interface; unauthenticated exploitation is not possible, limiting the attack surface to cases where default or weak credentials are in use.
  • ·Affected TP-Link models (TL-WR940N v2/v4, TL-WR841N v8/v10, TL-WR740N v1/v2) are end-of-life/end-of-service and will not receive patches; no vendor fix is available.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.