CVE-2023-50224
published 2024-05-03CVE-2023-50224: TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose…
PriorityP183medium6.5CVSS 3.0
AVAACLPRNUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-24
Exploited in the wild
EPSS
17.45%
96.7th percentile
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
. Was ZDI-CAN-19899.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | tl-wr841n | — | — |
| tp-link | tl-wr841n_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit uses unauthenticated HTTP GET requests against the httpd service on TCP/80 to extract stored credentials (dropbearpwd path) ↗
- →After credential extraction, a second crafted HTTP GET request is sent to modify DHCP DNS settings on the router — monitor for unauthenticated GET requests that alter DNS configuration on TP-Link WR841N management interface ↗
- →Hunt for DNS resolutions of Outlook/email domains (autodiscover-s.outlook.com, imap-mail.outlook.com, outlook.live.com, outlook.office.com, outlook.office365.com) resolving to the listed APT28 IP ranges rather than legitimate Microsoft infrastructure ↗
- →CVE-2023-50224 is chained with CVE-2025-9377 (command injection) for full RCE — detections should consider both vulnerabilities being exploited in sequence on the same device ↗
- →Quad7 botnet has exploited CVE-2023-50224 since 2023 to install custom malware converting routers into proxies — look for unusual outbound proxy/relay traffic from TP-Link SOHO routers ↗
- ·The IOC IP list from NCSC covers only the first cluster of APT28 DNS/AitM infrastructure; the document notes the list is not exhaustive and selectors are liable to change ↗
- ·The list of targeted TP-Link router models is likely not exhaustive — other models beyond those listed may also be vulnerable ↗
- ·Subsequent malicious logins using harvested credentials may originate from infrastructure not listed in this advisory ↗
- ·For banner pattern 2, the dnsmasq DNS software was only present on some servers in that cluster — absence of the banner does not rule out membership in the cluster ↗
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulnCheck
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
vulncheck·2025·CVSS 8.6
CVE-2025-9377 [HIGH] CWE-78 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability
TP-Link Archer C7(EU) and TL-WR841N/ND(MS) contain an OS command injection vulnerability that exists in the Parental Control page. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: TP-Link Multiple Routers
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.tp-link.com/us/support/faq/4365/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.acn.gov.it/portale/w/rilevato-sfruttamento-in-rete-delle-cve-2023-50224-e-cve
GHSA
GHSA-g654-hw9f-49w6: TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability
ghsa_unreviewed·2024-05-03
CVE-2023-50224 [MEDIUM] CWE-290 GHSA-g654-hw9f-49w6: TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19899.
VulnCheck
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
vulncheck·2023·CVSS 6.5
CVE-2023-50224 [MEDIUM] CWE-290 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: TP-Link TL-WR841N
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.tp-link.com/us/support/faq/4365/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.acn.gov.it/portale/w/rilevato-sfrut
CISA
TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
cisa·2025-09-03·CVSS 6.5
CVE-2023-50224 [MEDIUM] CWE-290 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
Vulnerability: TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
Affected: TP-Link TL-WR841N
TP-Link TL-WR841N contains an authentication bypass by spoofing vulnerability within the httpd service, which listens on TCP port 80 by default, leading to the disclose of stored credentials. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.tp-link.com/us/support/faq/4308/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-50224
Remediation Due Date: 2025-09-24
No detection rules found.
No public exploits indexed.
Hackernews
Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
blogs_hackernews·2026-04-07
Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025.
The large-scale exploitation campaign has been codenamed FrostArmada by Lumen's Black Lotus Labs, with Microsoft describing it as an effort to exploit vulnerable home and small office (SOHO) internet devices to hijack DNS traffic and e
Bleepingcomputer
TP-Link warns users to patch critical router auth bypass flaw
blogs_bleepingcomputer·2026-03-25·CVSS 8.6
CVE-2025-15517 [HIGH] TP-Link warns users to patch critical router auth bypass flaw
## TP-Link warns users to patch critical router auth bypass flaw
## Sergiu Gatlan
TP-Link has patched several vulnerabilities in its Archer NX router series, including a critical-severity flaw that may allow attackers to bypass authentication and upload new firmware.
Tracked as CVE-2025-15517 , this security flaw affects Archer NX200, NX210, NX500, and NX600 wireless routers and stems from a missing authentication weakness that attackers can exploit without privileges.
"A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users," TP-Link explained earlier this week when it released security updates that address the vulnerability.
"An attacker may perform privileged HTTP actions without authentication, inclu
Bleepingcomputer
New TP-Link zero-day surfaces as CISA warns other flaws are exploited
blogs_bleepingcomputer·2025-09-04
New TP-Link zero-day surfaces as CISA warns other flaws are exploited
## New TP-Link zero-day surfaces as CISA warns other flaws are exploited
## Bill Toulas
TP-Link has confirmed the existence of an unpatched zero-day vulnerability impacting multiple router models, as CISA warns that other router flaws have been exploited in attacks.
The zero-day vulnerability was discovered by independent threat researcher Mehrun (ByteRay), who noted that he first reported it to TP-Link on May 11, 2024.
The Chinese networking equipment giant confirmed to BleepingComputer that it is currently investigating the exploitability and exposure of the flaw.
Though a patch is reportedly already developed for European models, work is underway to develop fixes for U.S. and global firmware versions, with no specific date estimates given.
“TP-Link is aware of the recently disclos
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
NCSC
APT28 exploit routers to enable DNS hijacking operations
ncsc·2026-04-07
APT28 exploit routers to enable DNS hijacking operations
News Download & print article PDF Download & print article PDF
## APT28 exploit routers to enable DNS hijacking operations
Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens. On this page
- Executive summary
- Introduction
- APT28 malicious DNS activity
- Indicators of compromise
- MITRE ATT&CK®
- Mitigation
## Executive summary
Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web an
https://www.tp-link.com/en/support/download/tl-wr841n/v12/#Firmwarehttps://www.zerodayinitiative.com/advisories/ZDI-23-1808/https://www.tp-link.com/en/support/download/tl-wr841n/v12/#Firmwarehttps://www.zerodayinitiative.com/advisories/ZDI-23-1808/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-50224
2024-05-03
Published
2025-09-03
Added to CISA KEV
Exploited in the wild