CVE-2023-1389

Name of the Vulnerable Software and Affected Versions TP-Link Archer AX21 firmware versions prior to 1.1.4 Build 20230219 TP-Link Archer AX-21

Description TP-Link Archer AX21 (AX1800) devices are affected by a command injection vulnerability in the /cgi-bin/luci;stok=/locale endpoint. The vulnerability occurs because the

country

parameter within the

write

operation is not properly sanitized before being used in a call to

popen()

. This allows an unauthenticated attacker to inject arbitrary commands, which are then executed with root privileges via a simple POST request. This vulnerability has been actively exploited by multiple botnets, including Ballista, Moobot, Miroi, AGoent, and Gafgyt, to spread malware and launch DDoS attacks. The vulnerability is identified as CVE-2023-1389. Numerous reports indicate ongoing exploitation attempts, with daily infection attempts exceeding 40,000 since March 2024. The vulnerability allows attackers to execute remote code, potentially compromising devices and networks.

Recommendations Update TP-Link Archer AX21 firmware to version 1.1.4 Build 20230219 or later. For all other affected TP-Link Archer AX-21 models, update to the latest available firmware.