A known security flaw in several end-of-life TP-Link Wi-Fi routers is being actively targeted by hackers trying to install Mirai-based botnet malware on vulnerable devices. <\/p>\n
The vulnerability, tracked as CVE-2023-33538, affects multiple TP-Link models that no longer receive vendor updates, leaving users with no official patch to apply.<\/a><\/p>\n The affected routers include the TL-WR940N (versions 2 and 4), TL-WR740N (versions 1 and 2), and TL-WR841N (versions 8 and 10). <\/p>\n These devices share a common weakness in their web management interfaces, where a specific parameter inside an HTTP GET request is not properly checked for harmful content. <\/p>\n This missing input validation gives attackers a clear opening to inject and run commands on the router without triggering any warning on the device.<\/a><\/p>\n The attacks work by sending malicious HTTP GET requests to the \/userRpm\/WlanNetworkRpm endpoint. The requests carry commands embedded in the ssid parameter, which the router\u2019s firmware processes without filtering harmful input. <\/p>\n Once the router accepts the request, the commands instruct it to download an ELF binary named arm7 from a remote server at IP address 51.38.137[.]113, assign it full execution permissions, and run it immediately.<\/a><\/p>\n Unit 42 analysts and researchers at Palo Alto Networks identified this malicious activity<\/a> after CISA added CVE-2023-33538 to its Known Exploited Vulnerabilities (KEV) catalog in June 2025. <\/p>\n Their telemetry systems detected large-scale, automated exploitation attempts around that same period, with multiple probes targeting the same vulnerable endpoint across numerous devices in the wild.<\/a><\/p>\n The downloaded arm7 binary is a variant of the Condi IoT botnet malware, a Mirai-based family tied to previous campaigns. Once running on the infected router, the malware connects to a command-and-control (C2) server and folds the device into a larger botnet. <\/p>\n The C2 domain cnc.vietdediserver[.]shop is directly associated with these Mirai-like botnet<\/a> operations and was confirmed malicious.<\/a><\/p>\n After gaining access to the device, the arm7 binary carries out a structured set of tasks to maintain its presence and grow the botnet. <\/p>\n It waits for specific byte-pattern commands from the C2 server and responds by sending heartbeat signals, triggering self-updates, and launching internal HTTP server functions.<\/p>\n One particularly notable behavior is the self-update routine. The binary uses the update_bins() function to connect back to 51.38.137[.]113 on TCP port 80 and pull fresh copies of itself built for eight different CPU architectures, including arm6, mips, sh4, and x86_64. <\/p>\n The IP address<\/a> and port are hard-coded directly inside the binary, as confirmed during disassembly. <\/p>\n The arm7 binary also starts an HTTP server on the infected device using a port randomly chosen between 1024 and 65535. <\/p>\n Once active, this server delivers fresh malware copies to other devices that connect to it, spreading the infection further without requiring any additional input from the attacker. <\/p>\n This allows each newly infected host to go on recruiting more victims. Despite their scale, the in-the-wild exploit attempts observed by researchers carried technical errors. <\/p>\n The attackers targeted the ssid parameter rather than the correct and vulnerable ssid1 parameter, and their injected commands depended on wget, a utility absent from the router\u2019s limited BusyBox environment. <\/p>\n Even so, the research team confirmed that the underlying vulnerability is real and that a more accurate attacker using the correct parameter could successfully exploit it.<\/a><\/p>\n Regarding recommendations, TP-Link confirmed the affected devices are end-of-life and no vendor patches will be made available. The company advises users to replace these units with currently supported hardware. <\/p>\n Changing the default admin:admin login credentials is also strongly recommended, as exploitation of this vulnerability requires authenticated access to the router\u2019s web interface. <\/p>\n Administrators should monitor outbound traffic<\/a> for connections to known malicious domains and retire any affected TP-Link router models still active on their networks.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Target TP-Link Routers With Mirai Malware in CVE-2023-33538 Exploitation Attempts<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInside the Arm7 Malware Binary<\/strong><\/h2>\n
![\"An](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgqm-hGRYR0uwfWcfpGcGJpV3LMHHahbzmIwE1GEBklSVj2hyphenhyphenCFHiguEgcGkD8hCXUh2oqzTzAkg-IIs7SVxlwFEltMrzuJHns9y9wKDsBRhE0pxpxKzeGoaFaPyHc2zTvTGr72Tc8MkHMLGqPLZ73D6tFqYliLwjGRDZTf-mq5y4_ZO1uk7UNbZ4bVztU\/s16000\/An%2520example%2520of%2520an%2520exploit%2520attempt%2520for%2520CVE-2023-33538%2520that%2520we%2520observed%2520in%2520May%25202025%2520%28Source%2520-%2520Unit42%29.webp?ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiTx-g8FU5sEtrVSXTRozBPgl13PBKgph_4vbq74-0DctXgAvxiOiL9gDZVEXz_NPOeAIgWkjrDzPYV3VLlGP9WH8zCSC2jpsvdx5N8DYBnSmvF8MQ1oZcDB5zD6oDWOVu-fsWnTVbP8B642BeYdFGfb229ePPBqSOR0tRSWZBWJfv4nx3maZ1Hzmel9bY\/s16000\/The%2520update_bins%2520function%2520with%2520a%2520hard-coded%2520IP%2520address%2520and%2520port%2520%28Source%2520-%2520Unit42%29.webp?ssl=1\")
![\"httpd_start()](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj0w6Ws0chvpvrSTWbD-oP0hPG1JtuhkGrvKbYx3snpKYi0HvP8X49bX0c4220cNDFrg3FN3bL57V9ZuUic-7MdaOyp7puUKus_hhRQ4NzzHnDE-dgIcFiWnk8cDllcPvhHhB5rLS6VKjazY02S1BV8rcQLUQ6_HhL1U6wBFhOgVUug1G0Ma1WZCAmFkeQ\/s16000\/httpd_start%28%29%2520function%2520graph%2520for%2520the%2520arm7%2520binary%2520%28Source%2520-%2520Unit42%29.webp?ssl=1\")