CVE-2023-33538 has been under sustained attack for over a year but attackers have not achieved successful payload execution on the affected TP-Link routers.
The flaw is an authenticated command injection in the ssid1 parameter of the /userRpm/WlanNetworkRpm endpoint, affecting TL-WR940N v2/v4, TL-WR740N v1/v2 and TL-WR841N v8/v10 models; it carries a CVSS score of 8.8 and was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025, as noted by Palo Alto Networks Unit42.
Exploitation requires valid credentials to the router’s web interface and even then the payload would run inside a restricted BusyBox environment, which limits the impact; SecurityAffairs reported that telemetry showed large-scale scanning attempts after the KEV inclusion but no evidence of code execution.
Despite the high severity rating, the flaw has remained unexploited in the wild, with threat actors observed only probing the devices; no specific APT or criminal group has been linked to the activity, according to SecurityWeek.
Defenders should ensure that any remaining TP-Link devices running the affected firmware are either retired or placed behind strict network controls, disable remote administration, and change default passwords to mitigate credential-based attempts.
Monitoring for anomalous GET requests to the /userRpm/WlanNetworkRpm endpoint with unusual ssid1 values can help detect ongoing scan traffic, and applying the latest available firmware where possible reduces the attack surface, a recommendation echoed in the CISA KEV entry for this vulnerability.