CVE-2023-1389

Name of the Vulnerable Software and Affected Versions TP-Link Archer AX21 versions prior to 1.1.4 Build 20230219

Description An unauthenticated attacker can execute arbitrary commands with root privileges on the web management interface via a command injection flaw. The issue exists because the country parameter in the write operation of the '/cgi-bin/luci;stok=/locale' endpoint is not sanitized before being processed by the popen() function. This flaw has been exploited by Chinese state-linked actors and various botnets, including Mirai, RondoDox, and Ballista. The Ballista botnet has compromised over 6,000 devices worldwide, specifically targeting sectors such as healthcare, manufacturing, and technology across countries including Brazil, Poland, Turkey, the UK, and the USA. Once compromised, the malware establishes an encrypted command-and-control channel to perform DDoS attacks, redirect users to phishing sites by changing DNS settings, and steal sensitive files.

Recommendations Update to firmware version 1.1.4 Build 20230219 or later. As a temporary workaround, restrict access to the '/cgi-bin/luci;stok=/locale' endpoint or disable the web management interface to minimize the risk of exploitation.