Executive Summary

We identified active, automated scans and probes attempting to exploit CVE-2023-33538, a vulnerability in several end-of-life TP-Link Wi-Fi router models:

• TL-WR940N v2 and v4
• TL-WR740N v1 and v2
• TL-WR841N v8 and v10

The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices.

We observed this activity after the Cybersecurity and Infrastructure Security Agency’s (CISA) June 2025 addition of this CVE (Common Vulnerabilities and Exposures) to its Known Exploited Vulnerabilities (KEV) Catalog.

There has been some discussion of how impactful (or not) these active campaigns might have been. To address this, we conducted a deep-dive investigation by emulating the TP-Link TL-WR940N router. Using firmware emulation and reverse engineering, we analyzed whether the specific exploits observed in our telemetry could successfully use this vulnerability to deliver the payload on that device model.

During our investigation, we uncovered two important facts about the attempted exploitation of this vulnerability:

• Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real
• Successful exploitation requires authentication to the router's web interface

This research demonstrates that while active botnet attacks leverage flawed exploit code, the underlying vulnerability remains a practical infection vector due to the widespread use of default internet of things (IoT) credentials.

TP-Link gave the following recommendation, regarding the devices and vulnerability in question:

*We confirm that the affected TP‑Link devices are end‑of‑life, and no vendor patches are available. Our recommendation to customers is to replace these units with supported hardware and ensure that default credentials are not used.*

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:

• Advanced URL Filtering and Advanced DNS Security
• Advanced WildFire
• Cortex Xpanse
• Device Security
• Next-Generation Firewall with Advanced Threat Prevention

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics |

Mirai, Wifi Routers, Command Injection |

Technical Analysis of Attempted Exploitation of CVE-2023-33538

CVE-2023-33538 was publicly reported in June 2023, affecting the aforementioned end-of-life TP-Link routers. Proof-of-concept (PoC) exploits for the different routers appeared earlier that month. The PoC exploits were removed from their original GitHub post but can be retrieved via Web Archive.

According to the report, the /userRpm/WlanNetworkRpm endpoint contains a vulnerability in processing the ssid1 parameter sent through an HTTP GET request, because the parameter value is not sanitized when the Wi-Fi router processes it. Consequently, an attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router.

Our Telemetry Findings

Our telemetry systems detected active, large-scale exploitation attempts for CVE-2023-33538 around the time of the addition to the KEV catalog in June 2025. We observed multiple exploitation attempts similar to the example shown below in Figure 1.

These were GET requests toward the /userRpm/WlanNetworkRpm.htm endpoint, attempting to execute multiple commands in the ssid parameter:

• The first command uses wget to download an Executable and Linkable Format (ELF) binary named arm7 from the IP address 51.38.137[.]113 into the /tmp directory.
• The next command executes chmod 777 on the arm7 binary to grant the file read, write and execute permissions.
• The last command executes the saved binary at /tmp/arm7 with the parameter tplink.

This set of commands is commonly associated with botnets, such as Mirai.

These HTTP GET requests use Basic Authentication with the admin:admin credential encoded in Base64 (YWRtaW46YWRtaW4= as shown in Figure 1).

Malware Downloaded

The arm7 binary found in our telemetry appears to be a Mirai variant. It is similar to the one used in the Condi IoT botnet, with multiple examples of the string condi in the file's code. Figure 2 shows an example of code from the arm7 binary showing the string condi2.

In the main function's command processing loop, the arm7 binary waits for specific command sequences. The commands are received through the network socket connection. The data is stored in the buffer var_868 from the fd_serv function, which is the command-and-control (C2) server socket, as shown in Figure 3.

After receiving data, the arm7 binary checks for specific byte patterns described below in Table 1.

Command Sequence |

Purpose |

Action |

0x99 0x66 0x33Heartbeat ResponseSends encrypted status string to C2 0x99 0x66 0x66Lockdown/TerminationSets lockdown flag, exits if already set 0x33 0x66 0x99HTTP Server StatusReports HTTP server status (only if running) 0x33 0x66 0x33Conditional UpdateDownloads all top1hbt.* binaries (only if the HTTP server is active) 0x33 0x66 0x66HTTP Server StartStarts HTTP server on random port (1024–64511) 0x66 0x66 0x99Lockdown FlagSets termination preparation flag

Table 1. Control commands for the arm7 binary.

Binary Update Mechanism

When the binary updates itself, it first calls the update_bins("top1hbt.arm") function as shown in Figure 4.

For the update, the arm7 binary iterates through an arch_names array, which contains a total of eight additional architectures (e.g., top1hbt.arm6, top1hbt.mips) and updates accordingly. For each update, the arm7 binary:

• Removes any previously existing file
• Connects to the C2 server
• Sends HTTP GET requests
• Downloads a fresh malware binary

The update_bins() function contains the IP address and port hard-coded as observed in disassembled code from the arm7 binary shown in Figures 5 and 6.

In Figure 5, the value 0x71892633 in little-endian corresponds to the IP address 51.38.137[.]113 and 0x5000 in little-endian for TCP port 80. Figure 6 shows the same IP address and port presented as \x00\x50 for TCP port 80 and \x33\x26\x89\x71 for 51.38.137[.]113.

The arm7 binary communicates with the C2 server at 51.38.137[.]113, which also hosts the binary itself. This IP address is also associated with the domain cnc.vietdediserver[.]shop, which is a known, malicious domain associated with Mirai-like botnet campaigns.

HTTP Server Start

As part of the botnet, a host infected with the arm7 binary will act as a web server, which requires starting the HTTP daemon, httpd. For this HTTP server start procedure, the arm7 binary checks whether the flag for httpd_started is not set, meaning the httpd_start() function shown in Figure 7 has not been executed.

If the httpd_started is not set, the process generates a random value between 1024 and 65535 to use as a TCP port. It then calls httpd_start() to fork child processes. After that, the arm7 binary binds the TCP port number to a socket, listens for connections and performs a full binary update. When this happens, the process sets httpd_started flag value to 1. Finally, as an HTTP server, the infected botnet host serves malware binaries to requesting clients, which are other compromised devices.

When the httpd_start() function is executed, it first forks a child process that immediately downloads fresh malware binaries for eight different CPU architectures, as shown in the function graph in Figure 8.

After successfully retrieving updated malware binaries from the server at 51.38.137[.]113 and storing them locally, the process establishes an HTTP server on a randomly assigned port. The process then creates a liste

📌 来源: Palo Alto Unit42 | 🆔 CVE-2023-33538 | 📅 2026-04-16