CVE-2023-50224

Name of the Vulnerable Software and Affected Versions TP-Link TL-WR841N versions (affected versions not specified)

Description The TP-Link TL-WR841N router is affected by an improper authentication issue within the dropbearpwd component. This allows network-adjacent attackers to disclose sensitive information on affected devices. Authentication is not required to exploit this issue. The flaw resides in the httpd service, listening on TCP port 80 by default, due to improper authentication. An attacker can leverage this to reveal stored credentials, potentially leading to further compromise. Real-world exploitation has been observed with the Russian APT28 (GRU Unit 26165) using this vulnerability (CVE-2023-50224) to hijack DNS settings for adversary-in-the-middle attacks, intercepting credentials from over 5,000 devices across 120 countries. The campaign targeted email and login traffic for credential harvesting.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.