Article Details

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers. At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to a command injection security issue reported and addressed last year. Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface. Several researchers discovered it in January 2023 and reported to the vendor through the Zero-Day Initiative (ZDI). TP-Link addressed the problem with the release of firmware security updates in March 2023. Proof-of-concept exploit code emerged shortly after the security advisories became public. Following that, cybersecurity teams warned about multiple botnets, including three Mirai variants (1, 2, 3) and a botnet named "Condi," that targeted unpatched devices. Yesterday, Fortinet issued another warning saying that it observed a surge in the malicious activity exploiting the vulnerability, noting that it originated from six botnet operations. Fortinet's telemetry data shows that starting in March 2024, daily infection attempts leveraging CVE-2023-1389 often went beyond 40,000 and up to 50,000. Each of these botnets utilizes different methods and scripts to exploit the vulnerability, establish control over the compromised devices, and command them to take part in malicious activities such as distributed denial of service (DDoS) attacks. Fortinet's report indicates that despite the vendor's release of a security update last year, a significant number of users continue to use outdated firmware. TP-Link Archer AX21 (AX1800) router users are advised to follow the vendor's firmware upgrading instructions, available here. They should also change the default admin passwords to something unique and long, and disable web access to the admin panel if not needed.