CVE-2023-1389

What is the TP-Link Archer AX21?

The TP-Link Archer AX21 is a popular dual-band Wi-Fi 6 (802.11ax) home router marketed as the AX1800. It provides 1800 Mbps combined wireless speeds (1201 Mbps on 5 GHz and 574 Mbps on 2.4 GHz) and is widely sold through retail channels globally. Home routers like the AX21 run embedded Linux with a lightweight web-based management interface, and their large installed base makes them attractive targets for botnet operators who compromise routers to build DDoS infrastructure, anonymize attack traffic, and establish persistent network presence.

Overview

CVE-2023-1389 is a command injection vulnerability (CWE-77) in the TP-Link Archer AX21's web management interface locale API endpoint that allows an unauthenticated attacker with adjacent network access to execute arbitrary OS commands as root. The vulnerability was discovered by Trend Micro Zero Day Initiative researchers and demonstrated at Pwn2Own Toronto 2022. TP-Link patched it in January 2023 firmware, but Mirai botnet variants — including a variant called "Condi" — began mass-exploiting unpatched AX21 routers in April 2023 to build DDoS infrastructure. CISA added it to the KEV catalog in May 2023.

Affected Versions

Technical Details

The command injection (CWE-77) exists in the router's web management API at the /cgi-bin/luci/;stok=/locale endpoint, specifically in the country parameter of the form=country request. The router constructs an OS-level shell command using the user-supplied country value without adequate input sanitization — a classic OS command injection pattern in embedded router firmware.

An attacker on the same network segment (LAN or Wi-Fi) can send a crafted HTTP POST request with embedded shell metacharacters or command separators in the country parameter:

POST /cgi-bin/luci/;stok=/locale?form=country
country=<country_code>%0aos_command_here

The router's web server processes the request, constructs the shell command with the injected content, and executes it as root — giving the attacker full control of the router's embedded Linux operating system.

The AV:A (Adjacent Network) CVSS metric indicates the attacker must be on the same network segment, typically the LAN or Wi-Fi network the router serves. However, when WAN-side management is enabled (a non-default but common misconfiguration), the attack surface extends to the internet.

Discovery

The vulnerability was discovered and reported by Trend Micro's Zero Day Initiative (ZDI) and demonstrated at Pwn2Own Toronto 2022 in December 2022. Pwn2Own Toronto targets consumer home devices including routers. Following coordinated disclosure, TP-Link released patched firmware before public disclosure of the vulnerability details.

Exploitation Context

After the vulnerability details became public in March 2023, multiple Mirai botnet variants rapidly incorporated CVE-2023-1389 exploits. Mirai-variant botnets continuously scan the internet for vulnerable home routers to recruit as DDoS nodes; the Archer AX21's large installed base made it a high-yield target. A variant called "Condi" specifically targeted AX21 devices and was responsible for building significant DDoS botnet capacity using this vulnerability. Router-based botnets are used for volumetric DDoS attacks, credential stuffing, proxy services, and network scanning.

Remediation

1. Update Archer AX21 firmware to 1.1.4 Build 20230219 or later — download from TP-Link's support site and apply via the router's admin interface (Advanced → System → Firmware Upgrade).
2. Enable automatic firmware updates if the router supports it — TP-Link routers may have an auto-update option in the admin interface.
3. Disable WAN-side management access — ensure the router's web management interface is not accessible from the internet (disable Remote Management if enabled).
4. Change the default admin password — routers with default credentials are compromised via other methods even when firmware is patched.
5. Reboot the router after patching — Mirai infections in RAM are cleared on reboot; installing the firmware update and rebooting removes active malware on an already-infected device.
6. Replace end-of-life TP-Link devices — older TL-WR series routers (CVE-2023-33538) that cannot be patched should be replaced with currently supported hardware.