Mirai Botnet Operators Probe EoL TP-Link Routers via CVE-2023-33538
Attackers are actively scanning for CVE-2023-33538, a command injection flaw in end-of-life TP-Link routers including TL-WR940N, TL-WR740N, and TL-WR841N, in an apparent effort to deploy a Mirai-based Condi botnet variant. Researchers observed malicious requests targeting the /userRpm/WlanNetworkRpm.htm interface, abusing SSID-related parameters to fetch an ELF payload such as arm7 from 51.38.137[.]113 and connect infected devices to infrastructure including cnc.vietdediserver[.]shop and bot.ddosvps.cc. The activity followed CISA’s addition of the flaw to its Known Exploited Vulnerabilities catalog, underscoring continued attacker interest in legacy edge devices.
Palo Alto Networks Unit 42 and other researchers said the vulnerability is real, but the exploitation attempts seen so far were unsuccessful because the campaigns used flawed tradecraft: they lacked valid authentication to the router web interface, targeted incorrect parameters, and relied on tools such as wget that are not present in the routers’ constrained BusyBox environments. TP-Link said the affected products are no longer supported and will not receive patches, leaving replacement of the devices and elimination of default or weak administrative credentials as the primary mitigations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers publish analysis of failed Mirai-style exploit chain
On April 17, 2026, researchers reported and analyzed the exploitation attempts, showing the flaw is real but the observed attacks failed because they were unauthenticated, targeted the wrong parameter, and relied on unavailable tooling such as wget. They also concluded successful exploitation requires valid router web interface credentials.
TP-Link confirms affected routers are end-of-life and unpatched
TP-Link said the impacted router models are no longer supported, no patches will be issued, and users should replace them with currently supported hardware.
Researchers observe large-scale automated exploitation attempts
Around the time of the KEV listing, Palo Alto Networks Unit 42 observed widespread automated attempts to exploit CVE-2023-33538 against end-of-life TP-Link routers using Mirai-like payloads and infrastructure including 51.38.137.113 and cnc.vietdediserver.shop.
CISA adds CVE-2023-33538 to the KEV catalog
CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog in June 2025, citing exploitation concerns; one report says federal agencies were given a remediation deadline of July 7, 2025.
CVE-2023-33538 is publicly disclosed in TP-Link routers
A command injection vulnerability, CVE-2023-33538, was publicly disclosed in June 2023 affecting legacy TP-Link router models including TL-WR940N, TL-WR740N, and TL-WR841N variants.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Attempted exploitation of vulnerability impacting EoL TP-Link routers discovered | brief | SC Media
scworld.com
Open sourceCVE-2023-33538 under attack for a year, but exploitation still unsuccessful
securityaffairs.com
Open sourceHackers Target TP-Link Routers With Mirai Malware in CVE-2023-33538 Exploitation Attempts
cybersecuritynews.com
Open sourceA Deep Dive into the Attempted Exploitation of CVE-2023-33538 | Community Portal | Gurucul
community.gurucul.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mirai Botnet Exploits CVE-2025-29635 in End-of-Life D-Link DIR-823X Routers
A Mirai-based malware campaign is actively exploiting **CVE-2025-29635**, a high-severity command-injection flaw in end-of-life **D-Link DIR-823X** routers, marking the first reported in-the-wild abuse of the vulnerability since its public disclosure and proof-of-concept release in 2025. Akamai said it began seeing attacks in early March 2026 through crafted `POST` requests to the `/goform/set_prohibiting` endpoint, where unsanitized input reaches `system()` and enables remote command execution on affected firmware versions **240126** and **240802**. The activity targets discontinued devices unlikely to receive vendor fixes, increasing exposure for organizations still running the routers. The attackers use the exploit to fetch and run a shell script that installs a Mirai variant dubbed **tuxnokill**, which retains common Mirai strings while using XOR obfuscation with key `0x30`. Akamai linked the same actor to similar Mirai deployment patterns against **TP-Link AX21** devices via **CVE-2023-1389** and against **ZTE ZXV10 H108L** routers through another remote code execution flaw, underscoring continued botnet weaponization of older, publicly documented vulnerabilities. Security advisories recommend replacing unsupported D-Link hardware, restricting exposed administrative interfaces, and rapidly remediating known router flaws before they are folded into botnet operations.
Apr 23, 2026
Exploited TP-Link and Ivanti Edge Devices Prompt Replacement Warnings
Finnish cybersecurity authorities warned that internet-facing edge devices are being actively exploited by state-backed actors, citing intrusions involving **Ivanti Connect Secure** and **Policy Secure** appliances as well as older **TP-Link** home routers and access points. In the Ivanti cases, five vulnerabilities were disclosed and three were reported as actively exploited, prompting Finland’s National Cyber Security Centre to contact hundreds of owners of exposed devices. A joint warning from international authorities said attackers could remain hidden for long periods, while Ivanti’s detection tool might miss compromises and even factory resets or software updates might not fully remove attacker access. Authorities also reported that Russia-linked threat actors exploited **TP-Link** devices affected by `CVE-2023-50224` for cyber espionage, with public reporting tying the activity to credential theft, DNS manipulation, and traffic hijacking. TP-Link said many affected consumer models are end-of-life and no longer receive normal security support, leaving most without a full patch and only a few with partial fixes. TP-Link and the Finnish Cyber Security Centre urged organizations and consumers to replace unsupported devices, apply the latest available firmware where possible, disable remote management, limit legacy equipment to trusted internal networks, and watch for abnormal DNS changes.
Apr 15, 2026
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026