Full Report
Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista, according to new findings from the Cato CTRL team. "The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet," security researchers Ofek Vardi and Matan Mittelman said in a technical report shared with
Analysis Summary
# Vulnerability: TP-Link Archer RCE Exploited by Ballista Botnet
## CVE Details
- CVE ID: CVE-2023-1389
- CVSS Score: High (Specific score not provided, but context implies high severity due to RCE potential)
- CWE: Command Injection/Remote Code Execution (Inferred)
## Affected Systems
- Products: TP-Link Archer Routers
- Versions: TP-Link Archer AX-21 routers (Specific version ranges not provided, but the flaw exists in unpatched firmware)
- Configurations: Any device running the vulnerable firmware exposed to the network.
## Vulnerability Description
CVE-2023-1389 is a high-severity vulnerability in TP-Link Archer AX-21 routers that allows for command injection, leading directly to Remote Code Execution (RCE). Threat actors leverage this flaw to automatically spread the Ballista botnet across the Internet. The exploit uses a malware dropper (`dropbpb.sh`) to fetch and execute the main binary for various architectures (mips, mipsel, armv5l, armv7l, x86_64). Upon successful execution, the malware establishes an encrypted Command-and-Control (C2) channel on port 82.
## Exploitation
- Status: Exploited in the wild (Used in active Ballista botnet campaigns since at least January 2025; historical exploitation linked to Mirai, Condi, and AndroxGh0st dating back to April 2023).
- Complexity: Low (Implied by automatic spread over the internet and use of a standard dropper).
- Attack Vector: Network
## Impact
- Confidentiality: Potential compromise (Malware attempts to read sensitive files on the local system).
- Integrity: Compromised (Full RCE allows arbitrary command execution).
- Availability: Potential Denial of Service (DoS) via `flooder` command capability.
## Remediation
### Patches
- Patches are not explicitly listed, but the core remediation is applying firmware updates provided by TP-Link that address CVE-2023-1389. Users must check the official TP-Link support site for the latest firmware for affected Archer models.
### Workarounds
- Restrict external access to the management interface of the routers.
- Isolate potentially infected devices or network segments until patched.
## Detection
- **Indicators of Compromise (IOCs):**
- Encrypted network traffic originating from the device on TCP port 82 (C2 channel).
- Presence of files like `dropbpb.sh` or unknown main binaries designed for ARM, MIPS, or x86 architectures on the router filesystem.
- Attempts to execute Linux shell commands or resource exhaustion indicative of flooding attacks.
- **Detection methods and tools:**
- Network monitoring to detect connections to the known C2 IP (2.237.57\[.\]70, or connections to TOR domains in newer variants) on port 82.
- Attack Surface Management platforms (like Censys) searching for device identifiers related to the Archer AX-21/AX1800 models combined with signs of compromise.
## References
- Vendor advisories: Seek official TP-Link security advisories regarding CVE-2023-1389.
- Relevant links:
- The Hacker News article detailing the Ballista campaign: hxxps://thehackernews.com/2025/03/ballista-botnet-exploits-unpatched-tp.html
- Historical reference to CVE-2023-1389: hxxps://thehackernews.com/2023/05/active-exploitation-of-tp-link-apache.html