Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when
Analysis Summary
# Vulnerability: TP-Link Router Command Injection (CVE-2023-33538) Under Active Exploit
## CVE Details
- CVE ID: CVE-2023-33538
- CVSS Score: 8.8 (High)
- CWE: OS Command Injection (Implied by description)
## Affected Systems
- Products: TP-Link Wireless Routers
- Versions: TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2
- Configurations: Vulnerability exists within the `/userRpm/WlanNetworkRpm` component when processing the `ssid1` parameter.
## Vulnerability Description
This is a command injection vulnerability due to improper handling of the `ssid1` parameter within an HTTP GET request directed at the `/userRpm/WlanNetworkRpm` component. Successful exploitation allows an unauthenticated attacker to execute arbitrary system commands on the underlying operating system of the router.
## Exploitation
- Status: Under Active Exploit (CISA KEV catalog listing)
- Complexity: Not explicitly stated, but command injection in network devices often has low complexity if the input validation is trivial.
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: Likely High (Ability to execute system commands can lead to information disclosure)
- Integrity: Likely High (Ability to execute system commands can lead to modification or creation of files)
- Availability: Likely High (Ability to execute system commands can lead to denial of service or device reconfiguration)
## Remediation
### Patches
(Note: Specific patch versions were not detailed in the provided summary. Users must check official TP-Link advisories.)
### Workarounds
CISA urges users to discontinue the use of affected products if no mitigations are available, especially since some may be End-of-Life (EoL) or End-of-Service (EoS).
## Detection
- Detection methods are not explicitly detailed for CVE-2023-33538 beyond the fact it is actively exploited.
- Indicators of compromise would involve monitoring network traffic targeting the affected router web server for specially crafted HTTP GET requests targeting `/userRpm/WlanNetworkRpm` with malicious values in the `ssid1` parameter, followed by unexpected system behavior or outbound connections.
## References
- CISA KEV Catalog Update (General CISA Alert): hxxps://www.cisa.gov/news-events/alerts/2025/06/16/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Original Vulnerability Details (Archived): hxxps://web.archive.org/web/20230609111043/https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/3/TL-WR940N_TL-WR841N_userRpm_WlanNetworkRpm_Command_Injection.md
- NIST NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2023-33538