The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a high-severity safety flaw in TP-Hyperlink wi-fi routers to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerability in query is CVE-2023-33538 (CVSS rating: 8.8), a command injection bug that would outcome within the execution of arbitrary system instructions when processing the ssid1 parameter in a specifically crafted HTTP GET request.
“TP-Hyperlink TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 comprise a command injection vulnerability by way of the part /userRpm/WlanNetworkRpm,” the company mentioned.
CISA has additionally warned that there’s a risk that affected merchandise may very well be end-of-life (EoL) and/or end-of-service (EoS), urging customers to discontinue their use if no mitigations can be found.
There may be at the moment no public details about how the shortcoming could also be exploited within the wild.
In December 2024, Palo Alto Networks Unit 42 revealed that it had recognized further samples of an operational expertise (OT)-centric malware known as FrostyGoop (aka BUSTLEBERM) and that one of many IP addresses akin to an ENCO management gadget additionally acted as a router internet server utilizing TP-Hyperlink WR740N to entry the ENCO gadget from an internet browser.
Nonetheless, it additional identified that “there is no such thing as a arduous proof to point that the attackers exploited [CVE-2023-33538] within the July 2024 FrostyGoop assault.”
The Hacker Information has reached out to TP-Hyperlink for additional particulars, and we’ll replace the story if we hear again. In gentle of lively exploitation, federal companies are required to remediate the flaw by July 7, 2025.
New Exercise Targets CVE-2023-28771
The disclosure comes as GreyNoise has warned of exploit makes an attempt concentrating on a essential safety flaw impacting Zyxel firewalls (CVE-2023-28771, CVSS rating: 9.8).
CVE-2023-28771 refers to a different working system command injection vulnerability that would allow an unauthenticated attacker to execute instructions by sending crafted requests to a prone gadget. It was patched by Zyxel in April 2023.
Whereas the vulnerability was weaponized to construct distributed denial-of-service (DDoS) botnets similar to Mirai shortly after public disclosure, the menace intelligence agency mentioned it noticed heightened makes an attempt to use it as not too long ago as June 16, 2025.
As many as 244 distinctive IP addresses are mentioned to have participated within the efforts over a brief timespan, with the exercise concentrating on america, United Kingdom, Spain, Germany, and India.
“Historic evaluation signifies that within the two weeks previous June 16, these IPs weren’t noticed participating in another scanning or exploit habits — solely concentrating on CVE-2023-28771,” GreyNoise mentioned, including it recognized “indicators in step with Mirai botnet variants.”
To mitigate the menace, customers are advisable to replace their Zyxel gadgets to the most recent model, monitor for any anomalous exercise, and restrict publicity the place relevant.
