TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Palo Alto Unit 42

A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Asher Davila, Malav Vyas and Chris Navarrete · 2026-04-16 · Read original ↗

ATT&CK techniques detected

20 predictions
T1190Exploit Public-Facing Application
97%
“s ip address. this httpd binary implements the router ' s web - based management interface. the interface provides configuration options such as : - wireless local area network ( wlan ) - wi - fi protected setup ( wps ) - dynamic host configuration protocol ( dhcp ) - logging - d…”
T1190Exploit Public-Facing Application
97%
“a deep dive into attempted exploitation of cve - 2023 - 33538 executive summary we identified active, automated scans and probes attempting to exploit cve - 2023 - 33538, a vulnerability in several end - of - life tp - link wi - fi router models : - tl - wr940n v2 and v4 - tl - w…”
T1190Exploit Public-Facing Application
96%
“and advanced dns security - advanced wildfire - cortex xpanse - device security - next - generation firewall with advanced threat prevention if you think you might have been compromised or have an urgent matter, contact the unit 42 incident response team. technical analysis of at…”
T1190Exploit Public-Facing Application
95%
“processed. the command injection vulnerability, combined with the tftp utility, could open a door for an attacker to download a malicious file. from our emulation and exploitation results, we confirmed that the command injection vulnerability does exist for v4 firmware. however, …”
T1190Exploit Public-Facing Application
95%
“successful. by examining this complete chain of events, we confirm the ssid1 parameter is vulnerable to command injection. this is because no part of this chain sanitizes the value of the ssid1 parameter before the value is passed to the system shell. emulation of the httpd binar…”
T1190Exploit Public-Facing Application
93%
“execution on the wi - fi router. our telemetry findings our telemetry systems detected active, large - scale exploitation attempts for cve - 2023 - 33538 around the time of the addition to the kev catalog in june 2025. we observed multiple exploitation attempts similar to the exa…”
T1204.002Malicious File
89%
“uk : + 44. 20. 3743. 3660 - europe and middle east : + 31. 20. 299. 3130 - asia : + 65. 6983. 8730 - japan : + 81. 50. 1790. 0200 - australia : + 61. 2. 4062. 7950 - india : 000 800 050 45107 - south korea : + 82. 080. 467. 8774 palo alto networks has shared these findings with o…”
T1190Exploit Public-Facing Application
88%
“##tm? save = save endpoint, which returns the session token, as shown in figure 39. to access any resource on the admin panel, it is critical to have both the authorization cookie and the session token. after acquiring the key, the poc uses the key and authorization token to make…”
T1190Exploit Public-Facing Application
87%
“binary shown below in figure 9. the exploit attempt appears to contain errors. while the endpoint / userrpm / wlannetworkrpm. htm is correct, this exploit is incorrectly attempting to inject malicious commands into the ssid parameter. the actual vulnerable parameter reported on t…”
T1190Exploit Public-Facing Application
83%
“##940n router. using firmware emulation and reverse engineering, we analyzed whether the specific exploits observed in our telemetry could successfully use this vulnerability to deliver the payload on that device model. during our investigation, we uncovered two important facts a…”
T1190Exploit Public-Facing Application
78%
“. attackers can leverage this vulnerability by injecting their malicious payload into the wireless network name ( ssid1 ) field. this direct method of injection makes the vulnerability relatively easy to exploit, as it doesn ' t require complex bypasses or sophisticated technique…”
T1498Network Denial of Service
77%
“hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] arm7 - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] mips - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] mpsl - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] x86 _ 64 - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hb…”
T1498.001Direct Network Flood
63%
“hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] arm7 - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] mips - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] mpsl - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hbt [. ] x86 _ 64 - hxxp [ : ] / / bot. ddosvps [. ] cc / top1hb…”
T1190Exploit Public-Facing Application
58%
“##cpjqahxbrcqsc / userrpm / index. htm as the session token was sufficiently random, it was not feasible to brute force or guess. the token can only be generated using valid credentials. once a user enters a username and password to log in, the pcsubwin ( ) function executes to p…”
T1190Exploit Public-Facing Application
55%
“##rpm / wlannetworkrpm. htm endpoint using the ssid1 parameter is not checked or sanitized. if the new ssid string value is different from the existing ssid string value, the wirelessconfigupdate ( ) function injects the new, unsanitized ssid value in parameters for executeformat…”
T1584.005Botnet
43%
“[. ] 113 / arm7 - hxxp [ : ] / / 51. 38. 137 [. ] 113 / x86 _ 64 - hxxp [ : ] / / 51. 38. 137 [. ] 113 / mips - hxxp [ : ] / / 51. 38. 137 [. ] 113 / sh4 c2 servers : - 51. 38. 137 [. ] 113 - cnc. vietdediserver [. ] shop - bot. ddosvps [. ] cc”
T1204.002Malicious File
41%
“file description : firmware downloaded from tp - link website - sha256 hash : 56f21f412e898ad9e3ee05d5f44c44d9d7bcb9ecbfbdb9de11b8fa5a637aeef6 - file size : 136. 30 kb ( 139, 576 bytes ) - filename : x86 _ 64 - file type : elf 64 - bit lsb executable, x86 - 64, version 1 ( sysv )…”
T1584.008Network Devices
38%
“##940n router. using firmware emulation and reverse engineering, we analyzed whether the specific exploits observed in our telemetry could successfully use this vulnerability to deliver the payload on that device model. during our investigation, we uncovered two important facts a…”
T1078.001Default Accounts
34%
“, which is not present in the firmware ' s limited busybox environment this demonstrates a common attack pattern of scanning and probing with incomplete or inaccurate exploit code, resulting in noisy but ultimately ineffective attacks. while these specific attempts would fail, th…”
T1071Application Layer Protocol
31%
“full binary update. when this happens, the process sets httpd _ started flag value to 1. finally, as an http server, the infected botnet host serves malware binaries to requesting clients, which are other compromised devices. when the httpd _ start ( ) function is executed, it fi…”

Summary

CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware.

The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42.