Botnets continue exploiting year-old flaw in unpatched TP-Link routers

Attackers continue to exploit a vulnerability in unpatched TP-Link internet routers, adding them to various botnets that can be used to disrupt websites with bogus traffic.

The flaw — CVE-2023-1389 — was discovered last December and patched in March. It affects the Archer AX21, a popular model manufactured by the Hong Kong-based company, which has long been a target of botnet operators. 

Researchers at cybersecurity firm Fortinet said on Tuesday that they observed multiple attacks focusing on this year-old vulnerability, including botnet malware such as Moobot, Mirai, Condi and Gafgyt. The malicious code allows attackers to take control of devices for distributed denial-of-service (DDoS) attacks.

Last April, researchers at Trend Micro reported that hackers exploited the same vulnerability to attack TP-Link routers primarily based in Eastern Europe, adding them to the Mirai botnet. Firmware updates are available from TP-Link.

CVE-2023-1389 is a command injection vulnerability, meaning that an attacker can execute arbitrary instructions on a target system or application. It carries the CVSS severity score of 8.8 out of 10.

“As usual, botnets relentlessly target Internet of Things (IoT) vulnerabilities, continuously attempting to exploit them,” Fortinet said.

“Despite the discovery and provided remediation for the vulnerability CVE-2023-1389 last year, numerous campaigns still exploit it, resulting in significant peaks in our IPS telemetry.”

Researchers ask users to be vigilant against DDoS botnets and promptly apply patches to safeguard their network environments from infection and prevent them from becoming bots for malicious threat actors.