CVE-2023-1389

2026-01-29

89.42.231.200

romania 

TP-Link 

Archer AX21 

GET /cgi-bin/luci/;stok=/locale HTTP/1.0
Host: █████████████
X-Forwarded-For: █████████████
Referer: https://█████████████:443/cgi-bin/luci/;stok=/locale
Connection: close

CVE-2023-1389 is a critical command injection vulnerability found in the web management interface of TP-Link Archer AX21 (AX1800) routers. This flaw allows remote attackers to execute arbitrary commands on the affected device without authentication. The vulnerability is particularly dangerous as it can be exploited to gain full control over the router, enabling attackers to install malware, steal sensitive information, or use the compromised device as part of a botnet.
The vulnerability has been actively exploited in the wild, with reports indicating that it has been added to the arsenal of several well-known botnets, including Mirai, Moobot, Miori, AGoent, and Gafgyt. These botnets are often used to launch distributed denial-of-service (DDoS) attacks, mine cryptocurrencies, or conduct other malicious activities.
The exploitation of CVE-2023-1389 typically involves sending specially crafted HTTP requests to the router's web management interface. These requests contain malicious payloads that are executed by the router's underlying operating system, allowing the attacker to gain control over the device. The vulnerability is rated with a CVSS v3 base score of 9.8, indicating its high severity and the urgent need for remediation.
TP-Link has acknowledged the vulnerability and released firmware updates to address the issue. Users are strongly advised to apply these updates as soon as possible to protect their devices from potential attacks. Additionally, it is recommended to disable remote management features and use strong, unique passwords to further mitigate the risk of exploitation.

Update Firmware: Download and install the latest firmware update for the TP-Link Archer AX21 from the official TP-Link website.
Disable Remote Management: If not needed, disable the remote management feature on the router to prevent unauthorized access.
Use Strong Passwords: Ensure that the router's admin interface is protected with a strong, unique password.
Network Segmentation: Place the router in a separate network segment to limit the potential impact of a compromised device.
Monitor Network Traffic: Regularly monitor network traffic for unusual activity that may indicate an attempted or successful exploitation.
Apply Security Best Practices: Follow general security best practices, such as keeping all network devices updated and using firewalls to protect the network.