CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware.
The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42.
Cybersecurity researchers have identified five distinct security flaws in the TP-Link Archer AX53 v1.0 router.
Tracked under multiple CVE identifiers, these vulnerabilities impact the router’s core modules, including OpenVPN, dnsmasq, and tmpServer.
When exploited, these flaws allow attackers on the same network to execute system commands, cause system crashes, and steal sensitive configuration files, ultimately leading to the complete compromise of the device.
The most critical vulnerabilities discovered are two OS command injection flaws, carrying a high CVSS v4.0 score of 8.5.
Both vulnerabilities occur because the router fails to validate input when processing configuration files properly.
An authenticated attacker sharing the same local network (adjacent access) can upload a specially crafted configuration file to execute unauthorized system commands.
This level of access allows threat actors to modify device settings, expose sensitive data, and take total control of the router’s operating system.
Another major flaw tracked as CVE-2026-30814 (CVSS score 7.3) involves a stack-based buffer overflow in the router’s tmpServer module.
By feeding the router a malicious configuration file, an adjacent attacker can trigger a segmentation fault. This immediately crashes the service and creates a pathway to execute arbitrary code.
Code execution at this level means an attacker can force the device into an unstable state, manipulate device functions, and maintain a persistent foothold on the network hardware.
The final two vulnerabilities expose sensitive data through arbitrary file reading capabilities. Both carry a medium-severity CVSS v4.0 score of 6.8.
These external configuration control flaws allow an attacker to bypass security restrictions and read private files stored on the device.
While this does not grant direct control over the router, it exposes critical administrative files, passwords, and network configurations that attackers can use to launch further attacks.
These vulnerabilities specifically affect the TP-Link Archer AX53 v1.0, a popular Wi-Fi 6 router widely used internationally but not sold in the United States.
TP-Link has officially addressed these security gaps in their latest firmware release.
Users and network administrators are strongly urged to update their devices immediately to protect their networks from potential exploitation.
Leaving these routers unpatched gives threat actors an easy pivot point into internal networks, making immediate remediation critical for home and enterprise security alike.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Multiple TP-Link Vulnerabilities Allow Attackers to Seize Control of the Device appeared first on Cyber Security News.
British security officials found that a group linked to the Russian military is spying on users of compromised Small Office/Home Office (SOHO) routers in a broad cyber espionage campaign. A Microsoft blog goes into the technical details of these attacks.
The group, which we’ll refer to as APT28, but is also known under names like Fancy Bear, BlueDelta, and Forest Blizzard, changes the DNS settings of compromised routers so their traffic is sent through servers under their control, which enables APT28 to spy on users.
The domain name system (DNS) is the way that internet domain names are located and translated into Internet Protocol (IP) addresses. Devices usually get network settings from routers using Dynamic Host Configuration Protocol (DHCP).
If an attacker can tamper with the router’s DNS settings, they can silently steer traffic through infrastructure they control, harvest login details, and in some cases position themselves between the user and the real service. This is why the campaign can support credential theft and even targeted interception of Microsoft 365 and other cloud traffic.
An FBI public service announcement says that APT28:
“…has harvested passwords, authentication tokens, and sensitive information including emails and web browsing information normally protected by secure socket layer (SSL) and transport layer security (TLS) encryption.”
The FBI says the group cast a wide net over US and globally, before narrowing down their victims to those with access to information related to military, government, and critical infrastructure.
The NCSC advisory singles out a single model of TP-Link (WR841N) with a known vulnerability that enables an unauthenticated attacker to obtain information such as usernames and passwords via specially crafted HTTP GET requests. This router model is widely sold to consumers and small businesses and not typically used as standard equipment by major internet service providers. The article also includes a long but not exhaustive list of other TP-Link router models targeted by APT28.
Microsoft Threat Intelligence says it has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure.
A few weeks ago, we commented on the FCC’s decision to effectively stop foreign-made routers from being imported unless their manufacturers obtain an exemption, due to what the FCC called an “unacceptable risk to the national security of the United States or the safety and security of United States persons.”
APT28’s actions show the kind of risk the FCC is trying to stop, but they also reinforce our point: while the debate over router bans and supply-chain restrictions often focuses on national origin, the bigger issue is whether the devices are secure in practice. If a router ships with weak defaults, poor update support, or a confusing setup process, it becomes a target regardless of where it was made. Attackers do not need perfection. They only need enough exposed devices to build a large, quiet infrastructure for spying and redirection.
To check whether your settings are OK, we can only give general directions since they are sometimes very device-specific. But this method usually works:
If you can afford it and haven’t already, upgrade to Wi-Fi 7 to help future-proof your setup while current models are still in stores.
You should at least:
For technically confident users, replacing vendor firmware with open-source alternatives like OpenWrt or DD-WRT can extend a router’s secure lifespan. But this comes with risks, including voiding warranties or potentially bricking your device. You should only do this, or have it done, if you’re comfortable troubleshooting.
If a US citizen suspects they have been targeted or compromised by a Russian cyberintrusion, they are asked to report the activity to their local FBI field office or file a complaint with the IC3. Be sure to provide details about the affected router, including device type and DHCP configurations.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
Washington’s push to ban foreign-made Wi-Fi routers may sound tough on cybersecurity, but like earlier bans on foreign drones and telecom gear it risks becoming security theater that ignores the real problem: Millions of unpatched devices already sitting on American networks.
The post Banning Routers Won’t Secure the Internet appeared first on Security Boulevard.
TP-Link issued security updates for its Archer NX router series to fix multiple vulnerabilities, including CVE-2025-15517 (CVSS score of 8.6), a critical authentication bypass flaw. The vulnerability impacts multiple models, including NX200, NX210, NX500, and NX600. The flaw allows attackers to upload new firmware without privileges, creating a high risk of compromise if unpatched.
“A missing authentication check in the HTTP server to certain cgi endpoints allows unauthenticated access intended for authenticated users.” reads the advisory. “An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations.”
TP-Link also removed a hardcoded cryptographic key in Configuration Encryption Mechanism, tracked as CVE-2025-15605 (CVSS score of 8.5). The vulnerability allowed authenticated attackers to decrypt configuration files, modify them, and re-encrypt them.
“A hardcoded cryptographic key within its configuration mechanism enables decryption and re-encryption of device configuration data.” reads the advisory. “An authenticated attacker may decrypt configuration files, modify them and re-encrypt them, affecting confidentiality and integrity of device configuration data.”
Below is the list of impacted products/versions and related fixes:
| Affected Product | Affected Hardware Versions / Firmware Versions |
| Archer NX600 | • v3.0: < 1.3.0 Build 260309 • v2.0: < 1.3.0 Build 260311 • v1.0: < 1.4.0 Build 260311 |
| Archer NX500 | • v2.0: < 1.5.0 Build 260309 • v1.0: < 1.3.0 Build 260311 |
| Archer NX210 | • v3.0: < 1.3.0 Build 260309 • v2.0 & v2.20: < 1.3.0 Build 260311 |
| Archer NX200 | • v3.0: < 1.3.0 Build 260309 • v2.20: < 1.3.0 Build 260311 • v2.0: < 1.3.0 Build 260311 • v1.0: < 1.8.0 Build 260311 |
In September 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link Archer C7(EU) and TL-WR841N flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these flaws:
This week, the U.S. FCC announced a ban on importing new foreign-made consumer routers, citing unacceptable cyber and national security risks. The decision, backed by Executive Branch assessments, means such devices can no longer be sold or marketed in the U.S. unless they receive special approval.
Routers will be added to the Covered List, with exceptions only for those cleared by the Department of Homeland Security or defense authorities after the Department of Homeland Security or defense authorities verify they pose no threat to communications networks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Archer NX)
On Monday, the Federal Communications Commission (FCC) updated its list of insecure equipment, outlining its reasons for adding all consumer-grade routers made outside the US.
Effectively, this would stop foreign-made routers from being imported unless their manufacturers obtain an exemption, due to what the FCC called an “unacceptable risk to the national security of the United States or the safety and security of United States persons.”
We applaud decisions that make people more secure, but this one raises some serious questions.
Virtually all consumer-grade routers are produced outside of the US, including those marketed by American companies. This doesn’t pose an immediate problem, because the ban would only apply to future imports. Products already in use or currently on sale could still be used.
But with no US-manufactured routers readily available, people may hold on to older, less secure devices for longer than they normally would due to a lack of alternatives. That means routers that have reached end-of-life (EOL) might remain in use without updates or support.
Although it makes sense to scrutinize untrusted routers in government and critical infrastructure environments, I don’t think banning SOHO (small office/home office) routers is likely to have a big impact on national security.
At first glance, you might think this kind of move is aimed at taking down some major botnets which thrived on internet-connected devices like cameras, routers, and video recorders. And the National Security Determination does mention these botnets.
But in most cases, the reason these routers can be used in botnets isn’t because they were made abroad, but because they are shipped with default credentials and unclear directions on how to change them.
Untrusted routers could lead to espionage and denial of service at critical times, especially where countries of origin have laws prescribing mandatory backdoors (like China). In those cases, it makes sense to avoid those routers in organizations that are “critical for maintaining functional communications, critical infrastructure, and emergency services.”
But many routers are manufactured in countries that have no such laws, and where there is little to gain from state-level espionage targeting US consumers.
Before buying a new router, check with your Internet Service Provider (ISP) which models work with their services. Many ISPs publish lists of approved modems, and sometimes gateway devices, but they usually allow customers to use their own standalone router as long as it connects via Ethernet and supports the WAN type (DHCP, PPPoE, VLAN tags, etc.).
In practice, the best router for national security isn’t the one with a “Made in USA” label, but the one that gets patched as soon as a vulnerability is disclosed.
If you can afford it and haven’t already, upgrade to Wi-Fi 7 to help future-proof your setup while current models are still in stores.
You should also:
For technically confident users, replacing vendor firmware with open-source alternatives like OpenWrt or DD-WRT can extend a router’s secure lifespan. But this comes with risks, including voiding warranties or potentially bricking your device. You should only do this, or have it done, if you’re comfortable troubleshooting.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
Discover the best VoIP routers for businesses in 2025. Easily compare range, transfer rates, connectivity types, price, and more.
The post The 5 Best VoIP Routers (Wired, Wireless, and Mesh) in 2026 appeared first on TechRepublic.
Entrar