Unit 42 observed active, automated exploitation attempts targeting CVE-2023-33538, a command injection vulnerability in end-of-life TP-Link routers, to deploy Mirai-like botnet malware. While the observed in-the-wild attacks were flawed and failed, technical analysis confirmed the vulnerability is exploitable if attackers authenticate using default credentials, allowing them to inject shell commands via the ssid1 parameter.