virus logo Threat Signal Report

TP-Link Archer AX-21 Command Injection Vulnerability (CVE-2023-1389) Exploited in the Wild

Description

What is TP-Link Archer AX21 (AX1800)? TP-Link Archer AX21 (AX1800) is a line of consumer-oriented Wi-Fi routers.
What is the attack? A command injection vulnerability exists in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 that allows an unauthenticated attacker to inject commands and obtain root access via a POST request. The issue has been assigned CVE-2023-1389. The vulnerability has a CVSS base score of 8.8 and is rated HIGH.
Why is this significant?
This is significant because attackers have reportedly started to exploit CVE-2023-1389 in real time attacks. Furthermore, proof-of-concept (PoC) code is publicly available, and various reports have stated that the Mirai malware was deployed to vulnerable TP-Link Archer AX21 devices. CISA added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog on May 1st, 2023. As such, patches should be applied as soon as possible.
What is the vendor solution? According to the TP-Link Advisory, The Archer AX21, if linked to a TP-Link ID, will automatically receive update notifications in the web administration interface and Tether application. TP-Link strongly recommends that you download and update to the latest firmware for this product model as soon as possible.
What FortiGuard Coverage is available?
FortiGuard Labs has AV and IPS signatures in place to detect exploitation attempts of CVE-2023-1389. For a full comprehensive lists of protections from FortiGuard Labs, please visit the Outbreak Alert page for further details.

description-logoOutbreak Alert

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the "Country" field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet.

View the full Outbreak Alert Report

Telemetry

Appendix

Official Statement on Archer AX21 Remote Code Execution Vulnerability (CVE-2023-1389) (TP-Link)

TP-LINK WAN-SIDE VULNERABILITY CVE-2023-1389 ADDED TO THE MIRAI BOTNET ARSENAL (Trend Micro)

Known Exploited Vulnerabilities Catalog (CISA)

CVE-2023-1389 (MITRE)


ID 38
Date May 09, 2023
Outbreak Alert TP-Link Archer AX-21 Command Injection
CVE ID CVE-2023-1389
Threat/
Vulnerability		 Vulnerability
FortiGate Device Triggered
Threat Actor Type
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert