Vulnerabilities Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers In-the-wild exploitation has been ongoing for a year, but no successful payload execution has been observed. By Ionut Arghire | April 20, 2026 (3:50 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Hackers have been targeting a vulnerability in discontinued TP-Link routers for a year, so far failing to successfully exploit it, Palo Alto Networks reports. Tracked as CVE-2023-33538 (CVSS score of 8.8), the flaw is described as an authenticated command injection issue rooted in the lack of sanitization of the ssid1 parameter in HTTP GET requests. “An attacker could send commands to this parameter. This would allow remote attackers to submit special requests, resulting in command injection and theoretically leading to arbitrary system command execution on the Wi-Fi router,” Palo Alto Networks explains. The weakness impacts TP-Link’s TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10 router models, the cybersecurity firm says. Proof-of-concept (PoC) exploit code targeting the CVE has been publicly available for almost three years. In June last year, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, warning that it affects end-of-life (EoL) and end-of-service (EoS) products, and urging federal agencies to discontinue the use of these devices immediately. Advertisement. Scroll to continue reading. Now, Palo Alto Networks says the activity surrounding CVE-2023-33538’s exploitation that it has been tracking since June last year has involved Mirai-based payloads similar to the Condi IoT botnet binaries. The payload was designed to turn the infected devices into HTTP servers that would deliver malware binaries to requesting clients (other infected devices). Palo Alto Networks’ dive into the exploitation attempts has confirmed the existence of the underlying vulnerability, while uncovering errors in the exploit code that prevented attackers from successfully exploiting the CVE. Hackers, it says, attempted to exploit the bug without authentication, targeted the wrong parameter, and relied on a utility not present in the vulnerable devices’ BusyBox environment. “This demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks,” the cybersecurity firm says. Successful exploitation of the command injection issue, Palo Alto Networks explains, could lead to denial-of-service (DoS) conditions or could allow attackers to achieve persistent access to the vulnerable devices. Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild Related: Cursor AI Vulnerability Exposed Developer Devices Related: 53 DDoS Domains Taken Down by Law Enforcement Related: 100 Chrome Extensions Steal User Data, Create Backdoor Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Two North Korean IT Worker Scheme Facilitators Jailed in the US Cursor AI Vulnerability Exposed Developer Devices 53 DDoS Domains Taken Down by Law Enforcement Artemis Emerges From Stealth With $70 Million in Funding Splunk Enterprise Update Patches Code Execution Vulnerability NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software Cisco Patches Critical Vulnerabilities in Webex, ISE Ransomware Hits Automotive Data Expert Autovista Latest News Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking British Scattered Spider Hacker Pleads Guilty in the US Hackers Abuse QEMU for Defense Evasion Bluesky Disrupted by Sophisticated DDoS Attack Senate Extends Surveillance Powers Until April 30 After Chaotic Votes in House Half of the 6 Million Internet-Facing FTP Servers Lack Encryption Next.js Creator Vercel Hacked Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email