Информация об атаке

Tag
 
CVE-2023-1389
Date
 
2026-01-30
Client IP
 
130.12.180.108
Client GEO
Vendor
 
TP-Link
Product
 
Archer AX21
RAW request
 
GET /cgi-bin/luci/;stok=/locale HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/█████████ Safari/537.36
Host: █████████████
X-Forwarded-For: ██████████████
Referer: https://█████████████:443/cgi-bin/luci/;stok=/locale
Connection: close
Description
 
CVE-2023-1389 is a critical command injection vulnerability found in the web management interface of TP-Link Archer AX21 (AX1800) routers. This flaw allows remote attackers to execute arbitrary commands on the affected device without authentication. The vulnerability is particularly dangerous as it can be exploited to gain full control over the router, enabling attackers to install malware, steal sensitive information, or use the compromised device as part of a botnet.


The vulnerability has been actively exploited in the wild, with reports indicating that it has been added to the arsenal of several well-known botnets, including Mirai, Moobot, Miori, AGoent, and Gafgyt. These botnets are often used to launch distributed denial-of-service (DDoS) attacks, mine cryptocurrencies, or conduct other malicious activities.


The exploitation of CVE-2023-1389 typically involves sending specially crafted HTTP requests to the router's web management interface. These requests contain malicious payloads that are executed by the router's underlying operating system, allowing the attacker to gain control over the device. The vulnerability is rated with a CVSS v3 base score of 9.8, indicating its high severity and the urgent need for remediation.


TP-Link has acknowledged the vulnerability and released firmware updates to address the issue. Users are strongly advised to apply these updates as soon as possible to protect their devices from potential attacks. Additionally, it is recommended to disable remote management features and use strong, unique passwords to further mitigate the risk of exploitation.
Mitigations
 
    

  1. Update Firmware: Download and install the latest firmware update for the TP-Link Archer AX21 from the official TP-Link website.
    2. 

  2. Disable Remote Management: If not needed, disable the remote management feature on the router to prevent unauthorized access.
    3. 

  3. Use Strong Passwords: Ensure that the router's admin interface is protected with a strong, unique password.
    4. 

  4. Network Segmentation: Place the router in a separate network segment to limit the potential impact of a compromised device.
    5. 

  5. Monitor Network Traffic: Regularly monitor network traffic for unusual activity that may indicate an attempted or successful exploitation.
    6. 

  6. Apply Security Best Practices: Follow general security best practices, such as keeping all network devices updated and using firewalls to protect the network.
    7.
Links
https://cymulate.com/blog/huawei-hg532-remote-code-exploit/
https://github.com/topics/cve-2017-17215
https://github.com/wilfred-wulbou/HG532d-RCE-Exploit
https://nvd.nist.gov/vuln/detail/CVE-2017-17215
https://nvd.nist.gov/vuln/detail/cve-2017-17215
https://wwulbou.medium.com/huawei-hg532d-rce-exploit-ef2639db25b4
https://www.cvedetails.com/cve/CVE-2017-17215/
https://www.exploit-db.com/exploits/43414
https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-concealed-behind-cloud-services
https://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en