The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a high-severity safety flaw in TP-Hyperlink wi-fi routers to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability in query is CVE-2023-33538 (CVSS rating: 8.8), a command injection bug that would consequence within the execution of arbitrary system instructions when processing the ssid1 parameter in a specifically crafted HTTP GET request.
“TP-Hyperlink TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 include a command injection vulnerability by way of the element /userRpm/WlanNetworkRpm,” the company stated.
CISA has additionally warned that there’s a risk that affected merchandise might be end-of-life (EoL) and/or end-of-service (EoS), urging customers to discontinue their use if no mitigations can be found.
There’s at the moment no public details about how the shortcoming could also be exploited within the wild.
In December 2024, Palo Alto Networks Unit 42 revealed that it had recognized extra samples of an operational know-how (OT)-centric malware known as FrostyGoop (aka BUSTLEBERM) and that one of many IP addresses akin to an ENCO management system additionally acted as a router net server utilizing TP-Hyperlink WR740N to entry the ENCO system from an online browser.
Nevertheless, it additional identified that “there is no such thing as a laborious proof to point that the attackers exploited [CVE-2023-33538] within the July 2024 FrostyGoop assault.”
The Hacker Information has reached out to TP-Hyperlink for additional particulars, and we are going to replace the story if we hear again. In mild of energetic exploitation, federal businesses are required to remediate the flaw by July 7, 2025.
New Exercise Targets CVE-2023-28771
The disclosure comes as GreyNoise has warned of exploit makes an attempt focusing on a crucial safety flaw impacting Zyxel firewalls (CVE-2023-28771, CVSS rating: 9.8).
CVE-2023-28771 refers to a different working system command injection vulnerability that would allow an unauthenticated attacker to execute instructions by sending crafted requests to a inclined system. It was patched by Zyxel in April 2023.
Whereas the vulnerability was weaponized to construct distributed denial-of-service (DDoS) botnets resembling Mirai shortly after public disclosure, the risk intelligence agency stated it noticed heightened makes an attempt to use it as just lately as June 16, 2025.
As many as 244 distinctive IP addresses are stated to have participated within the efforts over a brief timespan, with the exercise focusing on the US, United Kingdom, Spain, Germany, and India.
“Historic evaluation signifies that within the two weeks previous June 16, these IPs weren’t noticed participating in some other scanning or exploit conduct — solely focusing on CVE-2023-28771,” GreyNoise stated, including it recognized “indicators in keeping with Mirai botnet variants.”
To mitigate the risk, customers are really helpful to replace their Zyxel units to the newest model, monitor for any anomalous exercise, and restrict publicity the place relevant.
