Unauthenticated Command Injection in TP-Link Archer AX21 /locale Endpoint
CVE-2023-1389 is an unauthenticated command injection vulnerability affecting TP-Link Archer AX21 (AX1800) routers running firmware before 1.1.4 Build 20230219. The flaw is in the web management interface locale API, specifically the /cgi-bin/luci;stok=/locale endpoint. During a write operation on the country form, the attacker-controlled country parameter is not properly sanitized before being incorporated into a shell command and executed via popen(). Supporting reporting also identifies the vulnerable code path as involving set_country calling merge_country_config/merge_config_by_country. Because the input reaches a system command without proper neutralization, a network-adjacent attacker can send a crafted POST request and achieve arbitrary command execution in the context of root.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a Go-based proof-of-concept exploit for CVE-2023-1389, targeting TP-Link Archer AX21 routers vulnerable to unauthenticated command injection. The main file, main.go, reads a list of target IP addresses from 'list.txt' and attempts to exploit each by sending a crafted HTTPS request to the /cgi-bin/luci/ endpoint, injecting a reverse shell payload. The payload causes the target device to connect back to the attacker's netcat listener, granting a remote shell. The exploit supports concurrent execution using goroutines and a concurrency manager. The repository includes a README with usage instructions, a Go module definition, and dependencies for command-line flag parsing and concurrency control. No detection or scanning functionality is present; the tool is strictly for exploitation. The main attack vector is network-based, exploiting a web interface on the target devices.
This repository contains two Python proof-of-concept exploits for CVE-2023-1389, an unauthenticated command injection vulnerability in the TP-Link Archer AX21 (AX1800) router's web management interface. The vulnerability exists in the 'country' parameter of the 'write' callback at the '/cgi-bin/luci/;stok=/locale' endpoint, allowing arbitrary command execution as root without authentication. - 'archer-file-transfer.py' allows the attacker to execute arbitrary commands on the router and exfiltrate their output by writing to '/tmp/out' and transferring it via netcat to the attacker's machine. - 'archer-rev-shell.py' provides a simpler method to obtain a reverse shell on the attacker's system using netcat. Both scripts require the attacker to specify the router's IP, their own IP, and a listening port. The exploit works by sending crafted GET requests to the vulnerable endpoint, leveraging command injection in the 'country' parameter. The README provides usage instructions and mitigation advice. The repository is structured with a README and two Python scripts, both of which are functional proof-of-concept exploits for the described vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
50 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An unauthenticated command injection vulnerability affecting TP-Link devices, specifically cited as being used to compromise routers for inclusion in a DDoS botnet.
A vulnerability affecting TP-Link AX21 routers that the Mirai botnet was observed exploiting.
A vulnerability in TP-Link AX21 devices that the actor is also exploiting as part of the Mirai campaign.
A vulnerability in TP-Link Archer AX21 devices that the same actor behind tuxnokill was observed probing.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.