← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
A Deep Dive Into Attempted Exploitation of CVE-2023-33538
WHITE AlienVault 2026-04-17 Modified: 2026-04-17
38
IOCs
MEDIUM VOLUME
Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link Wi-Fi routers were identified after CISA added it to the KEV catalog in June 2025. The vulnerability affects several router models including TL-WR940N, TL-WR740N, and TL-WR841N. Observed attacks attempted to deploy Mirai-like botnet malware, specifically variants associated with the Condi IoT botnet. Through firmware emulation and reverse engineering, researchers confirmed the vulnerability exists but discovered that successful exploitation requires authentication. The in-the-wild attacks contained critical flaws: they targeted the wrong parameter (ssid instead of ssid1), lacked authentication, and relied on utilities not present in the router firmware. The command injection vulnerability in the WlanNetworkRpm endpoint allows remote attackers to execute arbitrary commands when authenticated. The malware establishes C2 communication and propagates across architectures. TP-Link confirmed affected devices are end-of-life with no patc...
cve-2023-33538tp-link routersiot exploitationfirmware analysiscondi botnetcommand injectionwifi routersmiraicondimirai botnet
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Mirai Condi
Indicators of Compromise (38)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2023-33538 2026-04-17
CVE CVE-2024-3400 2026-04-17
CVE CVE-2025-0921 2026-04-17
CVE CVE-2025-14847 2026-04-17
CVE CVE-2025-21042 2026-04-17
CVE CVE-2025-23304 2026-04-17
CVE CVE-2025-55182 2026-04-17
CVE CVE-2025-59287 2026-04-17
CVE CVE-2025-66478 2026-04-17
CVE CVE-2026-1281 2026-04-17
CVE CVE-2026-1340 2026-04-17
CVE CVE-2026-1731 2026-04-17
CVE CVE-2026-22584 2026-04-17
FileHash-MD5 1e9b64497633d470a8294eb574ae0ada 2026-04-17
FileHash-MD5 2ae3d81112d9459045e6279fb7d013b1 2026-04-17
FileHash-MD5 4543b9ac3ba5f4e7f8e18d130f31e552 2026-04-17
FileHash-MD5 77825aac7f035fa0a94f4ff35177b503 2026-04-17
FileHash-MD5 b3843345be4810ca5e116224b3d247c2 2026-04-17
FileHash-MD5 db1dbfaef3362672d6bb89330b5fbb06 2026-04-17
FileHash-MD5 e7efe76a253a37e0f92ff1dbe3caf3e7 2026-04-17
FileHash-SHA1 23cad1f5b3b6776d26ae401688d4d2484917de27 2026-04-17
FileHash-SHA1 3693318e02ca114fcd6073b541f1d1e90a18cc43 2026-04-17
FileHash-SHA1 466ea2205a239b937decfa8ed230cc87e1c26143 2026-04-17
FileHash-SHA1 4f56614a69d7d6adbb994e3e3da54d1bcd9bb0b0 2026-04-17
FileHash-SHA1 70f964338fc891891bd70ff9393546729333ee89 2026-04-17
FileHash-SHA1 7cdd37a9c8a2b4b814fc2308eb00babe154b9664 2026-04-17
FileHash-SHA1 c2cc464588846692f67bb9abdde5fedb88d0cb21 2026-04-17
FileHash-SHA256 00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620 2026-04-17
FileHash-SHA256 3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7 2026-04-17
FileHash-SHA256 4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da 2026-04-17
FileHash-SHA256 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b 2026-04-17
FileHash-SHA256 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6 2026-04-17
FileHash-SHA256 7bbb21fec19512d932b7a92652ed0c8f0fedea89f34b9d6f267cf39de0eb9b20 2026-04-17
FileHash-SHA256 919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4 2026-04-17
FileHash-SHA256 9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402 2026-04-17
FileHash-SHA256 c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26 2026-04-17
hostname bot.ddosvps.cc 2026-04-17
hostname cnc.vietdediserver.shop 2026-04-17
References (2)
↗ https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/04_Vulnerabilities_1920x900.jpg ↗ https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/