CVE-2023-33538
published 2023-06-07CVE-2023-33538: TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component…
PriorityP185high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-07-07
Exploited in the wild
EPSS
41.87%
98.5th percentile
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation of CVE-2023-33538 attempts to deploy a Mirai-like botnet malware; monitor for post-exploitation Mirai-variant payloads on affected TP-Link router models. ↗
- →The Condi-referenced botnet malware includes self-update capability and acts as a web server to spread infection to other devices that connect to it; monitor for unexpected HTTP server activity on compromised routers. ↗
- →Unit 42 detected active, automated scans and probes attempting to exploit CVE-2023-33538; monitor network traffic for automated scanning activity targeting /userRpm/WlanNetworkRpm on TP-Link devices. ↗
- ·CVE-2023-33538 exploitation requires authentication to the router's web interface; unauthenticated exploitation is not possible, limiting the attack surface to cases where default or weak credentials are in use. ↗
- ·Affected TP-Link models (TL-WR940N v2/v4, TL-WR841N v8/v10, TL-WR740N v1/v2) are end-of-life/end-of-service and will not receive patches; no vendor fix is available. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-49g9-8m2w-hfgg: TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/
ghsa_unreviewed·2023-06-07
CVE-2023-33538 [HIGH] CWE-77 GHSA-49g9-8m2w-hfgg: TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .
VulnCheck
TP-Link Multiple Routers Command Injection Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-33538 [HIGH] CWE-77 TP-Link Multiple Routers Command Injection Vulnerability
TP-Link Multiple Routers Command Injection Vulnerability
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: TP-Link Multiple Routers
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Exploit PoC: https://vulncheck.com/xdb/16db4bdedbf0; htt
CISA
TP-Link Multiple Routers Command Injection Vulnerability
cisa·2025-06-16·CVSS 8.8
CVE-2023-33538 [HIGH] CWE-77 TP-Link Multiple Routers Command Injection Vulnerability
Vulnerability: TP-Link Multiple Routers Command Injection Vulnerability
Affected: TP-Link Multiple Routers
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.tp-link.com/nordic/support/faq/3562/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-33538
Remediation Due Date: 2025-07-07
No detection rules found.
No public exploits indexed.
Unit42
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
blogs_unit42·2026-06-05·CVSS 7.8
CVE-2026-0257 [HIGH] Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
## Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
Andy Piazza
Unit 42
Published: June 5, 2026
High Profile Threats
Vulnerabilities
CVE-2026-0257
Vulnerability
Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect. This security flaw involves an authentication bypass in the portal and gateway components of vulnerable versions of PAN-OS ® software, which could allow unauthorized attackers to circumvent security controls and initiate VPN connections. This CVE was added to the Known Exploited Vulnerability (KEV) catalog on May 29.
No post-access behavior or lateral movement has been identified as of this time. Only a small portion of the probed devices actually es
Unit42
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
blogs_unit42·2026-05-07·CVSS 9.3
CVE-2026-0300 [CRITICAL] Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
## Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Justin Moore
Unit 42
Published: May 6, 2026
High Profile Threats
Vulnerabilities
CVE-2026-0300
EarthWorm
PAN-OS
Remote Code Execution
ReverseSocks5
Vulnerability
Zero-day
## Executive Summary
On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300 , identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
We are aware of only limited exploitation of CVE-2026-0300 at this time
Unit42
Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
blogs_unit42·2026-05-05·CVSS 7.8
CVE-2026-31431 [HIGH] Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
## Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
Justin Moore
Published: May 5, 2026
High Profile Threats
Vulnerabilities
Containers
CVE-2026-31431
Kubernetes
Linux
Local privilege escalation
Page cache
Vulnerability
## Executive Summary
On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 . This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process , this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017.
Unlike many kernel vulnerabilities, this logic flaw is deterministic, meaning it does
Hackernews
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
blogs_hackernews·2026-04-18·CVSS 6.3
CVE-2024-3721 [MEDIUM] Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai -botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium .
"IoT devices are increasingly prime targets for
Unit42
A Deep Dive Into Attempted Exploitation of CVE-2023-33538
blogs_unit42·2026-04-16·CVSS 8.8
CVE-2023-33538 [HIGH] A Deep Dive Into Attempted Exploitation of CVE-2023-33538
## A Deep Dive Into Attempted Exploitation of CVE-2023-33538
Asher Davila
Malav Vyas
Chris Navarrete
Published: April 16, 2026
Threat Research
Vulnerabilities
Botnet
Command injection
CVE-2023-33538
Mirai
WiFi routers
## Executive Summary
We identified active, automated scans and probes attempting to exploit CVE-2023-33538 , a vulnerability in several end-of-life TP-Link Wi-Fi router models:
TL-WR940N v2 and v4
TL-WR740N v1 and v2
TL-WR841N v8 and v10
The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices.
We observed this activity after the Cybersecurity and Infrastructure Security Agency’s (CISA) June 2025 addition of this CVE (Common Vulnerabilities and Exposu
Unit42
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
blogs_unit42·2024-11-19
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
## FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
Asher Davila
Chris Navarrete
Published: November 19, 2024
Malware
Threat Research
BUSTLEBERM
FrostyGoop
Go
GoLang
ICS
IIoT
IoT
JSON
MikroTik
Modbus
Operational Technology
OT
Russia
SCADA
Vulnerabilities
## Executive Summary
In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt critical infrastructure. The outage occurred after the Cyber Security Situation Center (CSSC), affiliated with the Security Service of Ukraine, disclosed details [PDF] of an attack on a municipal energy company in Ukraine in early 2024.
FrostyGoop is the ninth reported OT-centric malware, but the first
Unit42
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
blogs_unit42·2024-11-19
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
## Executive Summary
In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt critical infrastructure. The outage occurred after the Cyber Security Situation Center (CSSC), affiliated with the Security Service of Ukraine, disclosed details [PDF] of an attack on a municipal energy company in Ukraine in early 2024.
FrostyGoop is the ninth reported OT-centric malware, but the first that used Modbus TCP communications to impact the power supply to heating services for over 600 apartment buildings. FrostyGoop can be used both within a compromised perimeter and externally if the target device is accessible over the internet. FrostyGoop sends Modbus commands to read or modify data on industrial control systems
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/3/TL-WR940N_TL-WR841N_userRpm_WlanNetworkRpm_Command_Injection.mdhttps://web.archive.org/web/20230609111043/https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/3/TL-WR940N_TL-WR841N_userRpm_WlanNetworkRpm_Command_Injection.mdhttps://www.secpod.com/blog/cisa-issues-warning-on-active-exploitation-of-tp-link-vulnerability-cve-2023-33538/https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/3/TL-WR940N_TL-WR841N_userRpm_WlanNetworkRpm_Command_Injection.mdhttps://web.archive.org/web/20230609111043/https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/3/TL-WR940N_TL-WR841N_userRpm_WlanNetworkRpm_Command_Injection.mdhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33538https://www.tp-link.com/us/support/faq/3562/
2023-06-07
Published
2025-06-16
Added to CISA KEV
Exploited in the wild