The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request.
“TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm,” the agency said.
CISA has also warned that there is a possibility that affected products could be end-of-life (EoL) and/or end-of-service (EoS), urging users to discontinue their use if no mitigations are available.
There is currently no public information about how the shortcoming may be exploited in the wild.
In December 2024, Palo Alto Networks Unit 42 revealed that it had identified additional samples of an operational technology (OT)-centric malware called FrostyGoop (aka BUSTLEBERM) and that one of the IP addresses corresponding to an ENCO control device also acted as a router web server using TP-Link WR740N to access the ENCO device from a web browser.
However, it further pointed out that “there is no hard evidence to indicate that the attackers exploited [CVE-2023-33538] in the July 2024 FrostyGoop attack.”
The Hacker News has reached out to TP-Link for further details, and we will update the story if we hear back. In light of active exploitation, federal agencies are required to remediate the flaw by July 7, 2025.
New Activity Targets CVE-2023-28771
The disclosure comes as GreyNoise has warned of exploit attempts targeting a critical security flaw impacting Zyxel firewalls (CVE-2023-28771, CVSS score: 9.8).
CVE-2023-28771 refers to another operating system command injection vulnerability that could permit an unauthenticated attacker to execute commands by sending crafted requests to a susceptible device. It was patched by Zyxel in April 2023.
While the vulnerability was weaponized to build distributed denial-of-service (DDoS) botnets such as Mirai shortly after public disclosure, the threat intelligence firm said it spotted heightened attempts to exploit it as recently as June 16, 2025.
As many as 244 unique IP addresses are said to have participated in the efforts over a short timespan, with the activity targeting the United States, United Kingdom, Spain, Germany, and India.
“Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771,” GreyNoise said, adding it identified “indicators consistent with Mirai botnet variants.”
To mitigate the threat, users are recommended to update their Zyxel devices to the latest version, monitor for any anomalous activity, and limit exposure where applicable.
