Multiple Botnets Targeting TP-Link Routers Exploiting Year-Old Security Flaw
April 17, 2024
A security issue identified as CVE-2023-1389, affecting TP-Link Archer AX21 routers, has become the target of at least six different botnet malware operations. This high-severity flaw allows for unauthenticated command injection via the device's web management interface. The vulnerability was discovered by multiple researchers in early 2023 and was reported to TP-Link through the Zero-Day Initiative.
In response, TP-Link released firmware updates in March 2023 to address the issue. However, shortly after these security advisories were made public, a proof-of-concept exploit code was released. This led to warnings from cybersecurity teams about several botnets, including three variants of Mirai and the Condi botnet, targeting devices that had not been updated.
Fortinet, a cybersecurity firm, recently reported a significant increase in malicious activity exploiting this vulnerability, tracing it back to six botnet operations. According to their telemetry data, daily infection attempts utilizing CVE-2023-1389 frequently exceeded 40,000 and sometimes reached up to 50,000 since March 2024. Each botnet employs different strategies and scripts to exploit the flaw, gain control over the vulnerable devices, and use them for malicious activities such as distributed denial of service (DDoS) attacks.
Despite TP-Link's security update in 2023, a substantial number of users are still using outdated firmware, as indicated by Fortinet's report. This leaves their TP-Link Archer AX21 routers vulnerable to attacks. Users are urged to follow the vendor's instructions for upgrading their firmware. In addition, they should replace the default admin passwords with unique and lengthy ones and disable web access to the admin panel if it is not necessary.
Related News
- Cisco Sounds Alarm on Global Rise in Brute-Force Attacks Targeting VPN and SSH Services
- Mirai Botnet Variant IZ1H9 Expands Exploit Arsenal
Latest News
- Fortinet Flaw Exploited in New Cyberattack Campaign Involving ScreenConnect and Metasploit
- Cisco Sounds Alarm on Global Rise in Brute-Force Attacks Targeting VPN and SSH Services
- Exploit Code Released for Critical PAN-OS Vulnerability, Immediate Patching Urged
- PuTTY SSH Client Vulnerability Allows Recovery of Cryptographic Private Keys
- TA558 Cybercriminals Exploit Images for Broad Malware Attacks
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.