
CISA Flags Actively Exploited TP-Link Router Flaw CVE-2023-33538
Publication date: 2025-06-17
Introduction
On June 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity command injection vulnerability in legacy TP-Link wireless routers, CVE-2023-33538, to its Known Exploited Vulnerabilities catalog. BaseFortify’s free CVE reports offer in-depth, annotated analysis—including technical breakdowns, attacker techniques, remediation guidance, and ongoing threat intelligence—empowering you with impact assessments, step-by-step mitigations, and alert subscriptions to respond swiftly. CISA’s action also imposes a mandatory remediation deadline of July 7, 2025, for federal agencies.
Background on the CISA KEV Catalog
CISA’s Known Exploited Vulnerabilities (KEV) catalog lists flaws that have been observed being exploited in real-world attacks. Once a vulnerability is added, all U.S. federal civilian agencies must apply mitigations or discontinue vulnerable products in accordance with Binding Operational Directive 22-01.
Technical Analysis
CVE-2023-33538 is a command injection defect (CWE-77) in the /userRpm/WlanNetworkRpm
component of TP-Link’s web-based management interface. By sending a specially crafted HTTP GET request with malicious content in the ssid1
parameter, an unauthenticated attacker can execute arbitrary system commands, potentially gaining full control of the router.
Vulnerable Models
- TL-WR940N (v2, v4)
- TL-WR841N (v8, v10)
- TL-WR740N (v1, v2)
Evidence of Active Exploitation
While no public proof-of-concept has been released, CISA’s KEV inclusion signals confirmed abuse. Independent researchers also observed TP-Link devices leveraged in operational technology malware campaigns such as FrostyGoop, emphasizing how attackers target command injection issues to pivot into critical networks.
Impact Assessment
Compromised routers enable adversaries to intercept or redirect network traffic, deploy malicious firmware, launch distributed denial-of-service (DDoS) attacks, and serve as footholds for lateral movement into corporate or industrial networks.
Mitigation Strategies
- Apply Patches: Check TP-Link support resources for any available firmware updates.
- Discontinue Unsupported Devices: Remove EoL routers if no patches exist.
- Restrict Remote Management: Disable WAN-side access to the web interface.
- Change Default Credentials: Enforce strong, unique admin passwords.
- Network Segmentation: Place legacy devices in isolated VLANs or behind firewalls.
- Monitor and Alert: Deploy IDS/IPS rules to flag anomalous HTTP requests targeting router endpoints.
- Follow CISA Guidance: Adhere to Binding Operational Directive 22-01 for mandatory actions.
Conclusion
CVE-2023-33538 represents a potent threat to organizations still relying on outdated TP-Link routers. Immediate action—patching, decommissioning, or isolating vulnerable devices—is essential. To dive deeper into this vulnerability and access detailed remediation guidance, visit our Annotated Analysis on BaseFortify and register for free to receive ongoing alerts.
References
- The Hacker News: TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert
- Security.nl: VS meldt actief misbruik van beveiligingslek in wifi-routers TP-Link
- BaseFortify: Annotated Analysis of CVE-2023-33538
- TP-Link Official Support FAQ
- CISA KEV Catalog
- Palo Alto Networks Unit 42: FrostyGoop Malware Analysis