CVE-2023-50224 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2024-05-03

Added to CISA KEV: 2025-09-03 488 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review router logs, check for unauthorized access, verify admin credentials haven't been changed
Immediately update firmware to version 12.0 or later if available for your hardware revision
Disable remote management features if not absolutely necessary
Change all router credentials immediately after patching
Implement network segmentation to isolate router management
Monitor for unauthorized configuration changes

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2023-50224 is a critical security vulnerability affecting various legacy TP-Link SOHO (Small Office/Home Office) routers ^[1]. It has been identified as a significant security risk due to its active exploitation by sophisticated threat actors ^[2].

Exploitation and Threat Actors

Active Exploitation: The vulnerability is actively exploited in the wild ^[3].
Threat Actors: It has been linked to campaigns by the Russian GRU 85th Main Special Service Center (also known as APT28, Fancy Bear, or Forest Blizzard) ^[2]. These actors have used the vulnerability to compromise routers globally as part of broader operations involving DNS hijacking and credential harvesting ^[2].

Attack Method and Requirements

Method: The flaw exists within the `httpd` service (listening on TCP port 80 by default) and results from improper authentication ^[4]?trk=article-ssr-frontend-pulse_little-text-block?kagi_q=CVE-2023-50224+details+exploitation+threat+actors+impact+patch+status.
Requirements: It is a network-adjacent attack that does not require user interaction or authentication to exploit ^[4]?trk=article-ssr-frontend-pulse_little-text-block?kagi_q=CVE-2023-50224+details+exploitation+threat+actors+impact+patch+status.
Impact: Successful exploitation allows attackers to disclose sensitive information, including the router's configuration and password files ^[5]. This is often used to redirect traffic, harvest login credentials for web and email services, and potentially achieve further remote code execution with high privileges ^[1] ^[5].

Affected Products and Mitigation

Status: Most affected TP-Link products have reached End-of-Life (EOL) status and are no longer supported by standard maintenance updates ^[3].
Mitigation: Because these devices are legacy hardware, TP-Link generally does not provide patches for them. The primary recommended mitigation is to replace the vulnerable, outdated hardware with a currently supported device ^[1]. Users should consult official TP-Link security advisories for specific model information and guidance ^[3].

Sources

An Important Update for TP-Link Customers Regarding Recent...
The vulnerability named in the report is CVE-2023-50224, an exploit that allowed attackers to redirect traffic to harvest login credentials and passwords for web and email related services, mainly targeting outdated small office/home office (SOHO) routers.Where a patch is not available, our recommen…
Internet Crime Complaint Center (IC3) | Russian GRU Exploiting ...
Understanding the DNS Hijacking Operations Since at least 2024, Russian GRU 85th Main Special Service Center (85th GTsSS) cyber actors — also known as APT28, Fancy Bear, and Forest Blizzard — have been collecting credentials and exploiting vulnerable routers worldwide, including compromising TP-Link…
Security Advisory for CVE-2023-50224 – Impact on Legacy TP-Link ...
Public reporting indicates this vulnerability may be actively exploited in the wild, including in campaigns involving DNS manipulation. TP‑Link ... TP-Link is aware of recent public reporting and law-enforcement disclosures describing exploitation activity involving legacy consumer networking device…
CVE-2023-50224 Detail - NVD
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of TP-Link TL-WR841N routers. Authentication is ...
CVE-2023-50224 - Exploits & Severity - Feedly
The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by ... CVE-2023-50224 is a critical authentication bypass vulnerability in certain routers that allows unauthenticated attackers to access sensit…