CVE-2023-1389

Published Mar 15, 2023

Last updated 14 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2023-1389 is an unauthenticated command injection vulnerability found in the TP-Link Archer AX21 (AX1800) Wi-Fi router. The vulnerability exists in firmware versions prior to 1.1.4 Build 20230219. Exploitation is possible via a crafted POST request to the router's web management interface. Specifically, the vulnerability lies within the "country" parameter of a form accessible at the /cgi-bin/luci/;stok=/locale endpoint. Due to a lack of proper input sanitization, an attacker can inject arbitrary commands that are executed with root privileges via the `popen()` function. This allows an attacker to gain full control of the affected device. The vulnerability was initially used in a Pwn2Own competition in December 2022. It was later independently discovered by other researchers and publicly disclosed. TP-Link has released firmware version 1.1.4 Build 20230219 to address this issue. Despite the availability of a patch, the vulnerability continues to be actively exploited in the wild by various botnets, including Mirai, Moobot, AGoent, and Gafgyt. It is crucial for users of the affected router model to update their firmware to the latest version to mitigate the risk associated with this vulnerability.

Description
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
Source
vulnreport@tenable.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
TP-Link Archer AX-21 Command Injection Vulnerability
Exploit added on
May 1, 2023
Exploit action due
May 22, 2023
Required action
Apply updates per vendor instructions.

Weaknesses

nvd@nist.gov
CWE-77
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-77

Social media

Hype score
Not currently trending
  1. ちなみにArcher AX21(AX1800) 脆弱性「CVE-2023-1389」が放置されてる

    @tokeisan3

    15 Mar 2025

    154 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. A new IoT botnet targets TP-Link Archer routers via CVE-2023-1389, exploiting vulnerabilities due to poor firmware updates. Security risks escalate as affected devices grow. 🔒🌐 #IoTThreats #TPLink #USA link: https://t.co/RqJvd55Lr0 https://t.co/cjTHUBTcon

    @TweetThreatNews

    15 Mar 2025

    103 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Thousands of TP-Link routers are under attack by a powerful botnet! Exploiting CVE-2023-1389 for malware spread and RCE. Stay vigilant! #CVE-2023-1389 #Security https://t.co/sMPJ1Wa1oc

    @Synapze_

    15 Mar 2025

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista. The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet. https://t.co/VnGfzNq6yx ht

    @riskigy

    13 Mar 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Stay protected! Check out the #CybersecurityThreatAdvisory on CVE-2023-1389, a TP-Link #routervulnerability, to guard against potential #DDoS attacks. Review the details now: https://t.co/ZbLh1UC6qu

    @SmarterMSP

    12 Mar 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Unpatched TP-Link Archer routers are targeted by the Ballista #botnet, exploiting RCE #vulnerability CVE-2023-1389. This flaw allows command injection, leading to remote code execution and spreading malware like Mirai, Condi, and AndroxGh0st☝️🤖 https://t.co/pFySnnanI4

    @manuelbissey

    12 Mar 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 Threat Alert: Italian Threat Actor Deploys Ballista DDoS Botnet, Exploiting TP-Link Router Vulnerability (CVE-2023-1389) to Target Critical Industries 🚨 Summary: An Italian-based threat actor has deployed the Ballista botnet, exploiting CVE-2023-1389 in TP-Link Archer… http

    @CyberxtronTech

    12 Mar 2025

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Ботнет Ballista нацелился на роутеры TP-Link Archer, используя уязвимость CVE-2023-1389 для удалённого выполнения кода. Подробнее https://t.co/mnnoWY9YnE https://t.co/Kpqc2sUHQs

    @KZCERT

    12 Mar 2025

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. A new botnet named Ballista targets unpatched TP-Link Archer routers, exploiting a critical vulnerability (CVE-2023-1389). Researchers suspect an Italian threat actor behind this campaign. 🚨 #BotnetThreat #TPLINK #Italy link: https://t.co/CvYKuGacd8 https://t.co/9zV7WFkmxU

    @TweetThreatNews

    11 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Busy day here at #FESI. We're tracking the X attack, Ivanti/VeraCore vulnerability exploitation, and the Ballista botnet that consists of TP-Link Archer routers vulnerable to CVE-2023-1389. You can check our threat briefs on all these subjects here: https://t.co/bHaE01IB7B

    @Ryan_FESI

    11 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. A newly identified IoT botnet, Ballista, linked to an Italian threat actor, exploits a vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread malware globally. ⚠️ #IoTThreat #Italy #MalwareAlert link: https://t.co/TXRmZ33pva https://t.co/UmJgFmNsac

    @TweetThreatNews

    11 Mar 2025

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. TP-Link Archerルーターの未修正の脆弱性(CVE-2023-1389)を悪用した新たなボットネット「Ballista」が発見された。このボットネットは、リモートコード実行(RCE)を可能にする脆弱性を利用し、自動的に拡散する。… https://t.co/73i7cRaPYC

    @yousukezan

    11 Mar 2025

    1909 Impressions

    3 Retweets

    21 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  13. ⚠️ تستغل شبكة روبوت جديدة، Ballista، أجهزة توجيه #TPLink Archer غير المصححة من خلال ثغرة CVE-2023-1389. تسمح هذه الثغرة للمهاجمين بتنفيذ التعليمات البرمجية عن بُعد، مما يؤدي إلى انتشار عدوى البرامج الضارة على نطاق واسع. #تقنية https://t.co/D6Ft8lnO1t

    @Infoandtech3

    11 Mar 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Old TP-Link vulnerability (CVE-2023-1389) being actively exploited. Serves as a useful reminder for everyone to check their router firmware is up to date! https://t.co/U2vFeRCkv8

    @BlueHatCyber

    11 Mar 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. ⚠️ A new botnet, Ballista, is exploiting unpatched TP-Link Archer routers through the CVE-2023-1389 vulnerability. This critical flaw allows attackers to execute remote code, triggering widespread malware infections. Thousands of devices, including those in healthcare and… http

    @TheHackersNews

    11 Mar 2025

    13295 Impressions

    48 Retweets

    116 Likes

    18 Bookmarks

    3 Replies

    3 Quotes

  16. While researchers at F5 Labs initially suspected that massive scanning for CVE-2023-1389 might be skewing the numbers, further analysis revealed that even when removing this specific threat, the overall traffic still showed a 91% increase. #Oscars #DiorAW25 #CyberAttack #AI https

    @techaniruddh

    5 Mar 2025

    76 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Recent vulnerability breakdowns include Androxgh0st Botnet Vulnerabilities, CVE-2024-36401 in GeoServer, and CVE-2023-1389 in TP-Link Archer AX21 Firmware. Providing detailed analysis to aid in understanding and mitigation.

    @agentwhitehat

    12 Jan 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. #RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2025-01-06 08:47:14 UTC Source IP: 45.141.156.67 🇧🇬 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 190.123.44.73 🇵🇦 hxxp://190.123.44.73/fk.sh 1c75b2c526118235961ec2ec0d260457 https://t.co/L

    @sicehice

    6 Jan 2025

    397 Impressions

    2 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  19. Nueva botnet explota vulnerabilidades en routers TP-Link y NVRs https://t.co/HgHQJth5Ew DigiEver DS-2105 Pro NVRs CVE-2023-1389 en TP-Link CVE-2018-17532 en Teltonika RUT9XX https://t.co/ER5iLQyD4G

    @elhackernet

    27 Dec 2024

    2729 Impressions

    5 Retweets

    30 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  20. #RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-27 04:01:10 UTC Source IP: 5.180.253.220 🇩🇪 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 5.175.237.74 🇩🇪 hxxp://5.175.237.74/GuruITDDoS3.sh c01f89f66afa819108643774b814bfaf https:/

    @sicehice

    27 Dec 2024

    1686 Impressions

    6 Retweets

    29 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  21. به تازگی نسخه جدید بات نت Mirai برای تجهیزات IOT یا همان اینترنت اشیا منتشر شده است. این بدافزار برخی تجهیزات IOT مانند DVRs و مودم های TP-Link را با آسیب پذیری با کد شناسایی CVE-2023-1389 اکسپلویت می کند. https://t.co/Poz3aKYxT1 https://t.co/f6TGsDaEQe

    @AmirHossein_sec

    26 Dec 2024

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. #RCE attempts targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-25 07:13:04 UTC Source IP: 154.213.190.250 🇳🇱 Source IP: 154.213.190.246 🇳🇱 POST /cgi-bin/luci/;stok=/locale?form=country https://t.co/w0HNT8W8wP

    @sicehice

    25 Dec 2024

    2790 Impressions

    9 Retweets

    40 Likes

    12 Bookmarks

    1 Reply

    0 Quotes

  23. 🟥まだ判明したのみで修正されていないようだ… DIGIEVER製NVRやTP-Link製ルーターの脆弱性を悪用する新たなボットネットが登場:CVE-2023-1389他 https://t.co/AB485QFpeX

    @n_gsx1300r

    25 Dec 2024

    131 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. نسخه جدید بات نتMiraiبرای تجهیزات IOT یا همان اینترنت اشیامنتشرشدکه این بدافزاربرخی تجهیزات IOT مانند DVRs ومودم های TP-Link را با آسیب پذیری با کد شناسایی CVE-2023-1389 اکسپلویت می کند بدافزار فایل cgi ای با نام cgi_main.cgi که در مسیر cgi-bin وجود دارد را مورد حمله قرار می دهد

    @cybernetic_cy

    25 Dec 2024

    115 Impressions

    3 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. ⚠️DIGIEVER製NVRやTP-Link製ルーターの脆弱性を悪用する新たなボットネットが登場(CVE-2023-1389他) 🚨3万超える数のPostmanワークスペースからAPIキーや機微なトークンが流出 〜サイバーアラート 12月25日〜 https://t.co/WfheYCIH97 #セキュリティ #インテリジェンス #OSINT

    @MachinaRecord

    25 Dec 2024

    189 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. #RCE attempt observed targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-17 19:56:34 UTC Source IP: 147.45.125.26 🇺🇸 POST /cgi-bin/luci;stok=None/admin/system IOCs: hxxp://pidors.ddosit[.]pro/ohshit.sh pidors.ddosit[.]pro --> 147.45.124.54 🇺🇸 https

    @sicehice

    23 Dec 2024

    1413 Impressions

    4 Retweets

    15 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  27. F5 Labs dives into the trends and vulnerabilities shaping the cybersecurity landscape, including to resurgence of CVE-2023-1389, the dominance of single IP address scanning, and more. https://t.co/Z5sLXpE3DU

    @devcentral

    21 Dec 2024

    98 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Dive into the latest F5 Labs vulnerability trends: 🔍 Scanning for CVE-2023-1389 remains the dominant threat as it continues to lead in traffic volume. 🔍 The #BotPoke scanner has switched its IP from Lithuania to Hong Kong https://t.co/uft8uOsZvL https://t.co/ZRSSDce7mq

    @devcentral

    18 Dec 2024

    19 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  29. Everytime one of my honeypots gets a request for stok, I think it's from @stokfredrik 😂 and not CVE-2023-1389 https://t.co/FZK4DeuMis

    @willvandevanter

    4 Dec 2024

    254 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. #RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai #opendir 2024-11-30 02:53:38 UTC Source IP: 181.215.193.5 🇹🇷 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 27.102.129.91 🇰🇷 hxxp://27.102.129.91/8UsA.sh 40b419c1257c09142c7f5abcfe4d1e5f htt

    @sicehice

    30 Nov 2024

    230 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  31. #RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai #opendir 2024-11-23 16:18:22 UTC Source IP: 45.95.169.104 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 45.95.169.104 🇭🇷 hxxp://45.95.169.104/ohshit.sh Zip of files: https://t.co/xFE3otUq36

    @sicehice

    23 Nov 2024

    197 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Out of the top 10 CVEs we track, CVE-2023-1389 continues to be the most scanned for the second month in a row. Find out why and see what else we discovered in our latest SIS summary. https://t.co/CipzrakOzH #F5Labs #Cybersecurity https://t.co/jFO7N45Eo7

    @F5Labs

    22 Nov 2024

    130 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  33. New SIS! Our latest summary shows a 10% drop in scanning of CVE-2017-9841 compared to August and CVE-2023-1389 continues to take first place as the top CVE scanned. Plus, Lithuania is still in the picture. https://t.co/GhAoWCRjYr #F5Labs #Cybersecurity https://t.co/imjeHFYrxR

    @F5Labs

    15 Nov 2024

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  34. #RCE attempt targeting TP-Link Archer routers to deliver #Mirai #CVE-2023-1389 2024-10-31 06:37:18 UTC Source IP: 81.28.10.126 🇮🇹 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 109.120.156.253 🇸🇪 hxxp://109.120.156.253/tyo2831qq.sh a0689056629df05410742d40e160d9d1

    @sicehice

    2 Nov 2024

    206 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations