- CISA flags security issue affecting multiple TP-Link models
- It allows threat actors to execute arbitrary system-level commands
- Affected models have all reached end of life, so should be replaced anyway
Multiple TP-Link routers, which have long reached end-of-life (EoL) status, are being abused in real-life attacks, the US government is warning.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a command injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling abuse in the wild.
A command injection vulnerability allows threat actors to execute arbitrary system-level commands on a server by exploiting improperly sanitized user input.
Popular routers
In this case, the bug is tracked as CVE-2023-33538 and has a severity score of 8.8/10 (high). It affects multiple models, including TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2.
All of these models reached their EoL long ago – between 2010 and 2018. That means that they are no longer receiving updates, and that TP-Link will not be addressing the command injection vulnerability mentioned above.
Usually, when a bug is added to KEV, Federal Civilian Executive Branch (FCEB) agencies have three weeks to apply the patch. Since in this case, there is no patch, users are urged to replace old hardware with newer versions. The deadline to complete the removal is July 7, 2025.
Most OEMs advise this for all of the equipment that reached end-of-life status, both hardware, and software.
Despite being a decade old, these devices are still quite popular – as ,ost can still be purchased on Amazon, where one of the models has more than 9,000 positive reviews, and another has more than 77,000 reviews and ranks well among other similar routers.
“Users should discontinue product utilization,” CISA warned on its website.
The proof-of-concept exploits are “widely available” online, Cybernews noted, highlighting these types of flaws are most dangerous on publicly exposed routers with remote access features. It doesn’t mean they cannot be exploited within the same local network.
