cbcvebase.
CVE-2023-50224
published 2024-05-03

CVE-2023-50224: TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose…

PriorityP183medium6.5CVSS 3.0
AVAACLPRNUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-09-24
Exploited in the wild
EPSS
17.45%
96.7th percentile
TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from improper authentication. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. . Was ZDI-CAN-19899.

Affected

2 ranges
VendorProductVersion rangeFixed in
tp-linktl-wr841n
tp-linktl-wr841n_firmware

Detection & IOCsextracted from sources · hover to see the quote

portTCP/80
portTCP/56777
portTCP/35681
ip5.226.137.151
ip5.226.137.230
ip5.226.137.231
ip5.226.137.232
ip5.226.137.234
ip5.226.137.235
ip5.226.137.242
ip5.226.137.243
ip5.226.137.244
ip5.226.137.245
ip23.106.120.119
ip37.221.64.77
ip37.221.64.78
ip37.221.64.93
ip37.221.64.101
ip37.221.64.116
ip37.221.64.131
ip37.221.64.148
ip37.221.64.149
ip37.221.64.150
ip37.221.64.151
ip37.221.64.163
ip37.221.64.173
ip37.221.64.199
ip37.221.64.208
ip37.221.64.224
ip37.221.64.254
ip64.120.31.96
ip64.120.31.97
ip64.120.31.98
ip64.120.31.99
ip64.120.31.100
ip77.83.197.37
ip77.83.197.38
ip77.83.197.39
ip77.83.197.40
ip77.83.197.41
ip77.83.197.42
ip77.83.197.43
ip77.83.197.44
ip77.83.197.45
ip77.83.197.46
ip77.83.197.47
ip77.83.197.48
ip77.83.197.49
ip77.83.197.50
ip77.83.197.51
ip77.83.197.52
ip77.83.197.53
ip77.83.197.54
ip77.83.197.55
ip77.83.197.56
ip77.83.197.57
ip77.83.197.58
ip77.83.197.59
ip77.83.197.60
ip79.141.160.78
ip79.141.161.66
ip79.141.161.67
ip79.141.161.68
ip79.141.161.69
ip79.141.161.70
ip79.141.161.71
ip79.141.161.72
ip79.141.161.73
ip79.141.161.74
ip79.141.161.75
ip79.141.161.76
ip79.141.161.77
ip79.141.161.78
ip79.141.161.79
ip79.141.161.80
ip79.141.161.81
ip79.141.161.82
ip79.141.161.83
  • Exploit uses unauthenticated HTTP GET requests against the httpd service on TCP/80 to extract stored credentials (dropbearpwd path)
  • After credential extraction, a second crafted HTTP GET request is sent to modify DHCP DNS settings on the router — monitor for unauthenticated GET requests that alter DNS configuration on TP-Link WR841N management interface
  • Hunt for DNS resolutions of Outlook/email domains (autodiscover-s.outlook.com, imap-mail.outlook.com, outlook.live.com, outlook.office.com, outlook.office365.com) resolving to the listed APT28 IP ranges rather than legitimate Microsoft infrastructure
  • CVE-2023-50224 is chained with CVE-2025-9377 (command injection) for full RCE — detections should consider both vulnerabilities being exploited in sequence on the same device
  • Quad7 botnet has exploited CVE-2023-50224 since 2023 to install custom malware converting routers into proxies — look for unusual outbound proxy/relay traffic from TP-Link SOHO routers
  • ·The IOC IP list from NCSC covers only the first cluster of APT28 DNS/AitM infrastructure; the document notes the list is not exhaustive and selectors are liable to change
  • ·The list of targeted TP-Link router models is likely not exhaustive — other models beyond those listed may also be vulnerable
  • ·Subsequent malicious logins using harvested credentials may originate from infrastructure not listed in this advisory
  • ·For banner pattern 2, the dnsmasq DNS software was only present on some servers in that cluster — absence of the banner does not rule out membership in the cluster

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck8.6HIGH
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.