AI description
CVE-2023-1389 is an unauthenticated command injection vulnerability found in the TP-Link Archer AX21 (AX1800) Wi-Fi router. The vulnerability exists in firmware versions prior to 1.1.4 Build 20230219. Exploitation is possible via a crafted POST request to the router's web management interface. Specifically, the vulnerability lies within the "country" parameter of a form accessible at the /cgi-bin/luci/;stok=/locale endpoint. Due to a lack of proper input sanitization, an attacker can inject arbitrary commands that are executed with root privileges via the `popen()` function. This allows an attacker to gain full control of the affected device. The vulnerability was initially used in a Pwn2Own competition in December 2022. It was later independently discovered by other researchers and publicly disclosed. TP-Link has released firmware version 1.1.4 Build 20230219 to address this issue. Despite the availability of a patch, the vulnerability continues to be actively exploited in the wild by various botnets, including Mirai, Moobot, AGoent, and Gafgyt. It is crucial for users of the affected router model to update their firmware to the latest version to mitigate the risk associated with this vulnerability.
- Description
- TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
- Source
- vulnreport@tenable.com
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- TP-Link Archer AX-21 Command Injection Vulnerability
- Exploit added on
- May 1, 2023
- Exploit action due
- May 22, 2023
- Required action
- Apply updates per vendor instructions.
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
ちなみにArcher AX21(AX1800) 脆弱性「CVE-2023-1389」が放置されてる
@tokeisan3
15 Mar 2025
153 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A new IoT botnet targets TP-Link Archer routers via CVE-2023-1389, exploiting vulnerabilities due to poor firmware updates. Security risks escalate as affected devices grow. 🔒🌐 #IoTThreats #TPLink #USA link: https://t.co/RqJvd55Lr0 https://t.co/cjTHUBTcon
@TweetThreatNews
15 Mar 2025
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Thousands of TP-Link routers are under attack by a powerful botnet! Exploiting CVE-2023-1389 for malware spread and RCE. Stay vigilant! #CVE-2023-1389 #Security https://t.co/sMPJ1Wa1oc
@Synapze_
15 Mar 2025
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista. The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet. https://t.co/VnGfzNq6yx ht
@riskigy
13 Mar 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Stay protected! Check out the #CybersecurityThreatAdvisory on CVE-2023-1389, a TP-Link #routervulnerability, to guard against potential #DDoS attacks. Review the details now: https://t.co/ZbLh1UC6qu
@SmarterMSP
12 Mar 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched TP-Link Archer routers are targeted by the Ballista #botnet, exploiting RCE #vulnerability CVE-2023-1389. This flaw allows command injection, leading to remote code execution and spreading malware like Mirai, Condi, and AndroxGh0st☝️🤖 https://t.co/pFySnnanI4
@manuelbissey
12 Mar 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Threat Alert: Italian Threat Actor Deploys Ballista DDoS Botnet, Exploiting TP-Link Router Vulnerability (CVE-2023-1389) to Target Critical Industries 🚨 Summary: An Italian-based threat actor has deployed the Ballista botnet, exploiting CVE-2023-1389 in TP-Link Archer… http
@CyberxtronTech
12 Mar 2025
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ботнет Ballista нацелился на роутеры TP-Link Archer, используя уязвимость CVE-2023-1389 для удалённого выполнения кода. Подробнее https://t.co/mnnoWY9YnE https://t.co/Kpqc2sUHQs
@KZCERT
12 Mar 2025
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A new botnet named Ballista targets unpatched TP-Link Archer routers, exploiting a critical vulnerability (CVE-2023-1389). Researchers suspect an Italian threat actor behind this campaign. 🚨 #BotnetThreat #TPLINK #Italy link: https://t.co/CvYKuGacd8 https://t.co/9zV7WFkmxU
@TweetThreatNews
11 Mar 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Busy day here at #FESI. We're tracking the X attack, Ivanti/VeraCore vulnerability exploitation, and the Ballista botnet that consists of TP-Link Archer routers vulnerable to CVE-2023-1389. You can check our threat briefs on all these subjects here: https://t.co/bHaE01IB7B
@Ryan_FESI
11 Mar 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A newly identified IoT botnet, Ballista, linked to an Italian threat actor, exploits a vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread malware globally. ⚠️ #IoTThreat #Italy #MalwareAlert link: https://t.co/TXRmZ33pva https://t.co/UmJgFmNsac
@TweetThreatNews
11 Mar 2025
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
TP-Link Archerルーターの未修正の脆弱性(CVE-2023-1389)を悪用した新たなボットネット「Ballista」が発見された。このボットネットは、リモートコード実行(RCE)を可能にする脆弱性を利用し、自動的に拡散する。… https://t.co/73i7cRaPYC
@yousukezan
11 Mar 2025
1909 Impressions
3 Retweets
21 Likes
6 Bookmarks
0 Replies
0 Quotes
⚠️ تستغل شبكة روبوت جديدة، Ballista، أجهزة توجيه #TPLink Archer غير المصححة من خلال ثغرة CVE-2023-1389. تسمح هذه الثغرة للمهاجمين بتنفيذ التعليمات البرمجية عن بُعد، مما يؤدي إلى انتشار عدوى البرامج الضارة على نطاق واسع. #تقنية https://t.co/D6Ft8lnO1t
@Infoandtech3
11 Mar 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Old TP-Link vulnerability (CVE-2023-1389) being actively exploited. Serves as a useful reminder for everyone to check their router firmware is up to date! https://t.co/U2vFeRCkv8
@BlueHatCyber
11 Mar 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ A new botnet, Ballista, is exploiting unpatched TP-Link Archer routers through the CVE-2023-1389 vulnerability. This critical flaw allows attackers to execute remote code, triggering widespread malware infections. Thousands of devices, including those in healthcare and… http
@TheHackersNews
11 Mar 2025
13295 Impressions
48 Retweets
116 Likes
18 Bookmarks
3 Replies
3 Quotes
While researchers at F5 Labs initially suspected that massive scanning for CVE-2023-1389 might be skewing the numbers, further analysis revealed that even when removing this specific threat, the overall traffic still showed a 91% increase. #Oscars #DiorAW25 #CyberAttack #AI https
@techaniruddh
5 Mar 2025
76 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Recent vulnerability breakdowns include Androxgh0st Botnet Vulnerabilities, CVE-2024-36401 in GeoServer, and CVE-2023-1389 in TP-Link Archer AX21 Firmware. Providing detailed analysis to aid in understanding and mitigation.
@agentwhitehat
12 Jan 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2025-01-06 08:47:14 UTC Source IP: 45.141.156.67 🇧🇬 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 190.123.44.73 🇵🇦 hxxp://190.123.44.73/fk.sh 1c75b2c526118235961ec2ec0d260457 https://t.co/L
@sicehice
6 Jan 2025
397 Impressions
2 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
Nueva botnet explota vulnerabilidades en routers TP-Link y NVRs https://t.co/HgHQJth5Ew DigiEver DS-2105 Pro NVRs CVE-2023-1389 en TP-Link CVE-2018-17532 en Teltonika RUT9XX https://t.co/ER5iLQyD4G
@elhackernet
27 Dec 2024
2729 Impressions
5 Retweets
30 Likes
3 Bookmarks
0 Replies
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-27 04:01:10 UTC Source IP: 5.180.253.220 🇩🇪 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 5.175.237.74 🇩🇪 hxxp://5.175.237.74/GuruITDDoS3.sh c01f89f66afa819108643774b814bfaf https:/
@sicehice
27 Dec 2024
1686 Impressions
6 Retweets
29 Likes
8 Bookmarks
0 Replies
0 Quotes
به تازگی نسخه جدید بات نت Mirai برای تجهیزات IOT یا همان اینترنت اشیا منتشر شده است. این بدافزار برخی تجهیزات IOT مانند DVRs و مودم های TP-Link را با آسیب پذیری با کد شناسایی CVE-2023-1389 اکسپلویت می کند. https://t.co/Poz3aKYxT1 https://t.co/f6TGsDaEQe
@AmirHossein_sec
26 Dec 2024
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#RCE attempts targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-25 07:13:04 UTC Source IP: 154.213.190.250 🇳🇱 Source IP: 154.213.190.246 🇳🇱 POST /cgi-bin/luci/;stok=/locale?form=country https://t.co/w0HNT8W8wP
@sicehice
25 Dec 2024
2790 Impressions
9 Retweets
40 Likes
12 Bookmarks
1 Reply
0 Quotes
🟥まだ判明したのみで修正されていないようだ… DIGIEVER製NVRやTP-Link製ルーターの脆弱性を悪用する新たなボットネットが登場:CVE-2023-1389他 https://t.co/AB485QFpeX
@n_gsx1300r
25 Dec 2024
131 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
نسخه جدید بات نتMiraiبرای تجهیزات IOT یا همان اینترنت اشیامنتشرشدکه این بدافزاربرخی تجهیزات IOT مانند DVRs ومودم های TP-Link را با آسیب پذیری با کد شناسایی CVE-2023-1389 اکسپلویت می کند بدافزار فایل cgi ای با نام cgi_main.cgi که در مسیر cgi-bin وجود دارد را مورد حمله قرار می دهد
@cybernetic_cy
25 Dec 2024
115 Impressions
3 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️DIGIEVER製NVRやTP-Link製ルーターの脆弱性を悪用する新たなボットネットが登場(CVE-2023-1389他) 🚨3万超える数のPostmanワークスペースからAPIキーや機微なトークンが流出 〜サイバーアラート 12月25日〜 https://t.co/WfheYCIH97 #セキュリティ #インテリジェンス #OSINT
@MachinaRecord
25 Dec 2024
189 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#RCE attempt observed targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai 2024-12-17 19:56:34 UTC Source IP: 147.45.125.26 🇺🇸 POST /cgi-bin/luci;stok=None/admin/system IOCs: hxxp://pidors.ddosit[.]pro/ohshit.sh pidors.ddosit[.]pro --> 147.45.124.54 🇺🇸 https
@sicehice
23 Dec 2024
1413 Impressions
4 Retweets
15 Likes
4 Bookmarks
1 Reply
0 Quotes
F5 Labs dives into the trends and vulnerabilities shaping the cybersecurity landscape, including to resurgence of CVE-2023-1389, the dominance of single IP address scanning, and more. https://t.co/Z5sLXpE3DU
@devcentral
21 Dec 2024
98 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Dive into the latest F5 Labs vulnerability trends: 🔍 Scanning for CVE-2023-1389 remains the dominant threat as it continues to lead in traffic volume. 🔍 The #BotPoke scanner has switched its IP from Lithuania to Hong Kong https://t.co/uft8uOsZvL https://t.co/ZRSSDce7mq
@devcentral
18 Dec 2024
19 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Everytime one of my honeypots gets a request for stok, I think it's from @stokfredrik 😂 and not CVE-2023-1389 https://t.co/FZK4DeuMis
@willvandevanter
4 Dec 2024
254 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai #opendir 2024-11-30 02:53:38 UTC Source IP: 181.215.193.5 🇹🇷 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 27.102.129.91 🇰🇷 hxxp://27.102.129.91/8UsA.sh 40b419c1257c09142c7f5abcfe4d1e5f htt
@sicehice
30 Nov 2024
230 Impressions
0 Retweets
2 Likes
1 Bookmark
1 Reply
0 Quotes
#RCE attempt targeting TP-Link Archer routers #CVE-2023-1389 to deliver #Mirai #opendir 2024-11-23 16:18:22 UTC Source IP: 45.95.169.104 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 45.95.169.104 🇭🇷 hxxp://45.95.169.104/ohshit.sh Zip of files: https://t.co/xFE3otUq36
@sicehice
23 Nov 2024
197 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Out of the top 10 CVEs we track, CVE-2023-1389 continues to be the most scanned for the second month in a row. Find out why and see what else we discovered in our latest SIS summary. https://t.co/CipzrakOzH #F5Labs #Cybersecurity https://t.co/jFO7N45Eo7
@F5Labs
22 Nov 2024
130 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
New SIS! Our latest summary shows a 10% drop in scanning of CVE-2017-9841 compared to August and CVE-2023-1389 continues to take first place as the top CVE scanned. Plus, Lithuania is still in the picture. https://t.co/GhAoWCRjYr #F5Labs #Cybersecurity https://t.co/imjeHFYrxR
@F5Labs
15 Nov 2024
36 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#RCE attempt targeting TP-Link Archer routers to deliver #Mirai #CVE-2023-1389 2024-10-31 06:37:18 UTC Source IP: 81.28.10.126 🇮🇹 POST /cgi-bin/luci/;stok=/locale?form=country IOCs: 109.120.156.253 🇸🇪 hxxp://109.120.156.253/tyo2831qq.sh a0689056629df05410742d40e160d9d1
@sicehice
2 Nov 2024
206 Impressions
1 Retweet
0 Likes
1 Bookmark
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E2DBA0CE-1871-4B4E-BCBD-3693E61DF23E",
"versionEndExcluding": "1.1.4"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "2DF5A235-4531-4F03-882C-C2A6B6D07A5D"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]