CVE-2023-33538

What are the Affected TP-Link Routers?

TP-Link is one of the world's largest manufacturers of networking equipment. The affected devices — TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 — are older N300 (300 Mbps) wireless routers from the TL-WR series, designed for home and small-office use. These models are likely at or past end-of-life (EoL) status and may not receive firmware updates from TP-Link. Large numbers of these devices remain in homes and small businesses, making them persistent targets for botnet operators who systematically exploit legacy router vulnerabilities.

Overview

CVE-2023-33538 is a command injection vulnerability in the /userRpm/WlanNetworkRpm endpoint of multiple TP-Link TL-WR series routers that allows an authenticated attacker with network access to execute arbitrary operating system commands on the device. Disclosed in June 2023, it was added to the CISA KEV catalog two years later in June 2025, reflecting sustained exploitation of these legacy devices. CISA's required action notes that users should consider discontinuing use of affected products if mitigations are unavailable.

Affected Versions

These are end-of-life or end-of-service devices. TP-Link may not provide firmware patches; replacement with a supported device is the recommended remediation.

Technical Details

The vulnerability is a command injection (CWE-77) in the wireless network configuration endpoint WlanNetworkRpm. The router's web interface passes user-supplied input (such as wireless SSID or other configuration fields) to a backend function that constructs OS-level shell commands without adequately sanitizing the input. By embedding shell metacharacters or command separators in the parameter values, an authenticated attacker can inject additional commands that execute on the router's embedded Linux operating system with root privileges.

Authentication is required (PR:L) — but SOHO routers commonly use:

• Unchanged default credentials (admin/admin or similar)
• Credentials shared across multiple devices on the same network
• Credentials exposed through other vulnerabilities or phishing

Once command injection is achieved, attackers can modify router configuration (DNS hijacking, traffic interception), install persistent malware in router flash memory, or use the device as a botnet node for DDoS or proxy operations.

Discovery

Identified by security researchers in June 2023. The two-year delay before CISA KEV addition reflects ongoing exploitation of devices still in the field — a pattern common with EoL consumer networking equipment.

Exploitation Context

Legacy home and SOHO routers are systematically targeted by botnet operators due to their large installed base, infrequent firmware updates, and common use of default credentials. Campaigns targeting devices like these TL-WR models contribute to large-scale botnets used for DDoS, credential stuffing, and proxy infrastructure. The June 2025 KEV addition confirms that active exploitation against real targets (including government and critical infrastructure networks with legacy networking equipment) was documented.

Remediation

1. Replace affected devices with currently supported TP-Link models or another vendor's current hardware — this is the preferred path given EoL status.
2. If replacement is not immediately possible:
   • Change the default admin password to a strong, unique password immediately.
   • Disable remote management (WAN-side access to the router interface).
   • Update to the latest available firmware even if it does not patch this specific vulnerability — other vulnerabilities may be addressed.
   • Restrict access to the router management interface to trusted local hosts only.
3. Disable UPnP — prevents automatic port forwarding that could expose the management interface to the internet.
4. Monitor for unusual network behavior from devices behind the router — DNS hijacking and traffic interception are common post-compromise activities.