The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added high-strength security flaws in TP-Link wireless routers to its known Exploited Vulnerabilities (KEV) catalogue, citing evidence of aggressive exploitation.
The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8). This is a command injection bug that could cause arbitrary system commands to be executed when processing SSID1 parameters in a specially created HTTP GET request.
“TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain command injection vulnerabilities via component/USERRPM/WLANNETWORKRPM.”
CISA also warns that the affected products may be end-of-life (EOL) and/or termination of service (EOS), urging users to discontinue use if mitigation is not available.
Currently there is no public information on how the flaws are exploited in the wild.
In December 2024, Palo Alto Networks Unit 42 identified an additional sample of malware centered around an operational technology (OT) called Frostygooop (aka Bustleberm), and revealed that one of the IP addresses corresponding to the ENCO controlled devices acted as a Router web server using the TP link WR740N, accessed from the ENCO device from the Web Browser.
However, he further pointed out that “there is no difficult evidence that the attackers exploited the attack on Frostigup in July 2024.”
Hacker news has been contacted TP-Link for more details. If you’ve heard of it, update the story. In light of active exploitation, federal agencies must fix the defects by July 7, 2025.
The new activity is targeting CVE-2023-28771
Disclosure occurs as Greynoise warned of attempts to exploit targeting critical security flaws affecting the Zyxel firewall (CVE-2023-28771, CVSS score: 9.8).
CVE-2023-28771 refers to a vulnerability in other operating system command injection. This allows unauthorized attackers to execute commands by sending craft requests to sensitive devices. Zyxel applied the patch in April 2023.
The vulnerability was weaponized to build a DDOS botnet such as Mirai shortly after its public disclosure, but the threat intelligence company said it had discovered a growing attempt to exploit it in the same way as on June 16, 2025.
As many as 244 unique IP addresses are said to have participated in a short effort, with activities targeting the US, UK, Spain, Germany and India.
“Historical analysis shows that two weeks before June 16th, these IPs were not observed to be engaged in other scans or misuse behaviors, saying they were targeting CVE-2023-28771 only.
To mitigate threats, users are advised to update their Zyxel devices to the latest version, monitor for unusual activity, and limit exposure if applicable.
