- Description
- TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
- Source
- vulnreport@tenable.com
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- TP-Link Archer AX-21 Command Injection Vulnerability
- Exploit added on
- May 1, 2023
- Exploit action due
- May 22, 2023
- Required action
- Apply updates per vendor instructions.
- Hype score
- Not currently trending
Recent vulnerability breakdowns include Androxgh0st Botnet Vulnerabilities, CVE-2024-36401 in GeoServer, and CVE-2023-1389 in TP-Link Archer AX21 Firmware. Providing detailed analysis to aid in understanding and mitigation.
@agentwhitehat
12 Jan 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2025-01-06 08:47:14 UTC Source IP: 45.141.156.67 🇧🇬 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 190.123.44.73 🇵🇦 hxxp://190.123.44.73/fk.sh 1c75b2c526118235961ec2ec0d260457 https://t.co/L
@sicehice
6 Jan 2025
397 Impressions
2 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
Nueva botnet explota vulnerabilidades en routers TP-Link y NVRs https://t.co/HgHQJth5Ew DigiEver DS-2105 Pro NVRs CVE-2023-1389 en TP-Link CVE-2018-17532 en Teltonika RUT9XX https://t.co/ER5iLQyD4G
@elhackernet
27 Dec 2024
2729 Impressions
5 Retweets
30 Likes
3 Bookmarks
0 Replies
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-27 04:01:10 UTC Source IP: 5.180.253.220 🇩🇪 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 5.175.237.74 🇩🇪 hxxp://5.175.237.74/GuruITDDoS3.sh c01f89f66afa819108643774b814bfaf https:/
@sicehice
27 Dec 2024
1686 Impressions
6 Retweets
29 Likes
8 Bookmarks
0 Replies
0 Quotes
به تازگی نسخه جدید بات نت Mirai برای تجهیزات IOT یا همان اینترنت اشیا منتشر شده است. این بدافزار برخی تجهیزات IOT مانند DVRs و مودم های TP-Link را با آسیب پذیری با کد شناسایی CVE-2023-1389 اکسپلویت می کند. https://t.co/Poz3aKYxT1 https://t.co/f6TGsDaEQe
@AmirHossein_sec
26 Dec 2024
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#RCE attempts targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-25 07:13:04 UTC Source IP: 154.213.190.250 🇳🇱 Source IP: 154.213.190.246 🇳🇱 POST /cgi-bin/luci/;stok=/locale?form=country https://t.co/w0HNT8W8wP
@sicehice
25 Dec 2024
2790 Impressions
9 Retweets
40 Likes
12 Bookmarks
1 Reply
0 Quotes
🟥まだ判明したのみで修正されていないようだ… DIGIEVER製NVRやTP-Link製ルーターの脆弱性を悪用する新たなボットネットが登場:CVE-2023-1389他 https://t.co/AB485QFpeX
@n_gsx1300r
25 Dec 2024
131 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
نسخه جدید بات نتMiraiبرای تجهیزات IOT یا همان اینترنت اشیامنتشرشدکه این بدافزاربرخی تجهیزات IOT مانند DVRs ومودم های TP-Link را با آسیب پذیری با کد شناسایی CVE-2023-1389 اکسپلویت می کند بدافزار فایل cgi ای با نام cgi_main.cgi که در مسیر cgi-bin وجود دارد را مورد حمله قرار می دهد
@cybernetic_cy
25 Dec 2024
115 Impressions
3 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️DIGIEVER製NVRやTP-Link製ルーターの脆弱性を悪用する新たなボットネットが登場(CVE-2023-1389他) 🚨3万超える数のPostmanワークスペースからAPIキーや機微なトークンが流出 〜サイバーアラート 12月25日〜 https://t.co/WfheYCIH97 #セキュリティ #インテリジェンス #OSINT
@MachinaRecord
25 Dec 2024
189 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#RCE attempt observed targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-17 19:56:34 UTC Source IP: 147.45.125.26 🇺🇸 POST /cgi-bin/luci;stok=None/admin/system IOCs: hxxp://pidors.ddosit[.]pro/ohshit.sh pidors.ddosit[.]pro --> 147.45.124.54 🇺🇸 https
@sicehice
23 Dec 2024
1413 Impressions
4 Retweets
15 Likes
4 Bookmarks
1 Reply
0 Quotes
F5 Labs dives into the trends and vulnerabilities shaping the cybersecurity landscape, including to resurgence of CVE-2023-1389, the dominance of single IP address scanning, and more. https://t.co/Z5sLXpE3DU
@devcentral
21 Dec 2024
98 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Dive into the latest F5 Labs vulnerability trends: 🔍 Scanning for CVE-2023-1389 remains the dominant threat as it continues to lead in traffic volume. 🔍 The #BotPoke scanner has switched its IP from Lithuania to Hong Kong https://t.co/uft8uOsZvL https://t.co/ZRSSDce7mq
@devcentral
18 Dec 2024
19 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Everytime one of my honeypots gets a request for stok, I think it's from @stokfredrik 😂 and not CVE-2023-1389 https://t.co/FZK4DeuMis
@willvandevanter
4 Dec 2024
254 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai #opendir 2024-11-30 02:53:38 UTC Source IP: 181.215.193.5 🇹🇷 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 27.102.129.91 🇰🇷 hxxp://27.102.129.91/8UsA.sh 40b419c1257c09142c7f5abcfe4d1e5f htt
@sicehice
30 Nov 2024
230 Impressions
0 Retweets
2 Likes
1 Bookmark
1 Reply
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai #opendir 2024-11-23 16:18:22 UTC Source IP: 45.95.169.104 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 45.95.169.104 🇭🇷 hxxp://45.95.169.104/ohshit.sh Zip of files: https://t.co/xFE3otUq36
@sicehice
23 Nov 2024
197 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Out of the top 10 CVEs we track, CVE-2023-1389 continues to be the most scanned for the second month in a row. Find out why and see what else we discovered in our latest SIS summary. https://t.co/CipzrakOzH #F5Labs #Cybersecurity https://t.co/jFO7N45Eo7
@F5Labs
22 Nov 2024
130 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
New SIS! Our latest summary shows a 10% drop in scanning of CVE-2017-9841 compared to August and CVE-2023-1389 continues to take first place as the top CVE scanned. Plus, Lithuania is still in the picture. https://t.co/GhAoWCRjYr #F5Labs #Cybersecurity https://t.co/imjeHFYrxR
@F5Labs
15 Nov 2024
36 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#RCE attempt targeting TP-Link Archer routers to deliver #Mirai #CVE-2023-1389 2024-10-31 06:37:18 UTC Source IP: 81.28.10.126 🇮🇹 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 109.120.156.253 🇸🇪 hxxp://109.120.156.253/tyo2831qq.sh a0689056629df05410742d40e160d9d1
@sicehice
2 Nov 2024
206 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E2DBA0CE-1871-4B4E-BCBD-3693E61DF23E",
"versionEndExcluding": "1.1.4"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "2DF5A235-4531-4F03-882C-C2A6B6D07A5D"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]