CVE-2023-33538

Name of the Vulnerable Software and Affected Versions TP-Link TL-WR940N versions V2 through V4 TP-Link TL-WR841N versions V8 through V10 TP-Link TL-WR740N versions V1 through V2

Description A command injection vulnerability has been discovered in TP-Link routers, specifically in the component /userRpm/WlanNetworkRpm. This vulnerability allows attackers to execute arbitrary system commands, potentially leading to remote code execution. The vulnerability is being actively exploited, and CISA has issued an immediate alert. The estimated number of potentially affected devices is not specified, but it is known that the vulnerability affects multiple TP-Link router models, including TL-WR940N, TL-WR841N, and TL-WR740N. The ssid1 parameter in a specially crafted HTTP GET request is used to inject commands.

Recommendations For TP-Link TL-WR940N versions V2 through V4: Update to a patched version or apply vendor-recommended mitigations. For TP-Link TL-WR841N versions V8 through V10: Update to a patched version or apply vendor-recommended mitigations. For TP-Link TL-WR740N versions V1 through V2: Update to a patched version or apply vendor-recommended mitigations. As a temporary workaround, consider disabling the /userRpm/WlanNetworkRpm component until a patch is available. Restrict access to the vulnerable component to minimize the risk of exploitation. Avoid using the ssid1 parameter in the affected API endpoint until the issue is resolved.