CVE-2023-33538 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-06-07

Added to CISA KEV: 2025-06-16 740 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update firmware to latest versions or replace affected devices if patches unavailable
Disable remote management features and ensure admin interfaces are not accessible from internet
Change default credentials and implement strong authentication
Monitor network traffic for unusual command execution or configuration changes
Consider replacing end-of-life devices that cannot be patched
PATCH PRIORITY: CRITICAL - Active exploitation with full device compromise

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-33538 is a command injection vulnerability affecting several older TP-Link router models, specifically the TL-WR940N (V2/V4), TL-WR841N (V8/V10), and TL-WR740N (V1/V2) ^[2].

Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability has been observed in the wild and was added to the CISA Known Exploited Vulnerabilities (KEV) catalog ^[4] ^[7].
Effectiveness: Despite being under active attack for a significant period, security research indicates that many observed exploitation attempts—and even some public proof-of-concept (PoC) code—have been unsuccessful in actually compromising the target router environments ^[1].
Campaigns: There is no widespread evidence linking this specific CVE to major ransomware campaigns; it is primarily associated with opportunistic exploitation attempts ^[1].

Attack Method and Requirements

Method: The vulnerability exists in the `/userRpm/WlanNetworkRpm` component, where the `ssid1` parameter is not properly sanitized ^[5] ^[1]. Attackers can send crafted HTTP requests to inject and execute arbitrary shell commands ^[1].
Requirements: Exploitation typically requires the attacker to be authenticated to the device's management interface ^[6].

Impact and Availability of Tools

Impact: Successful exploitation allows for arbitrary command execution on the router, which could lead to full device compromise, configuration changes, or use of the device in botnets ^[1].
Tools: Public PoC code and Metasploit modules exist for this vulnerability, though as noted, their reliability in achieving successful code execution varies ^[3] ^[6].

Affected Products and Mitigation

Affected Models: TP-Link TL-WR940N (V2/V4), TL-WR841N (V8/V10), and TL-WR740N (V1/V2) ^[2].
Status: Users are advised to check the official TP-Link support website for firmware updates. Given that these are older models, if a patch is unavailable, it is recommended to replace the device with a currently supported model to ensure security.

Sources

CVE-2023-33538 under attack for a year, but
CVE-2023-33538, disclosed in June 2023, lies in the /userRpm/WlanNetworkRpm endpoint, where the ssid1 parameter is not properly sanitized. ... Palo Alto Networks published a detailed analysis of the exploit for CVE-2023-33538 on a TP-Link router to better understand the reason for the failure. ... N…
CVE-2023-33538 Detail - NVD
Description. TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component / ...
GitHub - explxx/CVE-2023-33538: Python Exploit for TP-Link TL-WR940N/TL ...
explxx / CVE-2023-33538 Public Notifications You must be signed in to change notification settings Fork 0 Star 1 ... explxx / CVE-2023-33538 Public. Notifications You must be signed in to change notification settings. Fork 0.3 Commits. Open commit details.
NVD - CVE-2023-33538
Added. Reference Type. CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33538 Types: US Government Resource.Added. Reference Type. MITRE: https://www.secpod.com/blog/cisa-issues-warning-on-active-exploitation-of-tp-link-vulnerability-cve-2023-33538/ Types: Th…
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and...
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33538. Published by the National Vulnerability Databas…
GitHub - mrowkoob/CVE-2023-33538-msf: CVE-2023-33538 - TP-Link...
This Metasploit auxiliary module targets an authenticated command injection vulnerability in TP-Link TL-WR940N V2/V4 and TL-WR841N V8/V10 routers. The issue lies in the vulnerable ssid1 parameter used in WlanNetworkRpm.htm, which allows injection of arbitrary shell commands.If you find bugs, or have…
CISA Adds Two Known Exploited Vulnerabilities to Catalog
CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability; CVE-2023-33538 TP-Link Multiple Routers Command Injection Vulnerability.

🔴 CVE-2023-33538