Home
Mapping Frameworks
Known Exploited Vulnerabilities Home
TP-Link Archer AX-21 Command Injection Vulnerability

Known Exploited Vulnerabilities CVE-2023-1389 Mappings

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
CVE-2023-1389	TP-Link Archer AX-21 Command Injection Vulnerability	secondary_impact	T1041	Exfiltration Over C2 Channel	Comments CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices. References https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html https://cybersecuritynews.com/hackers-exploiting-tp-link/ https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/
CVE-2023-1389	TP-Link Archer AX-21 Command Injection Vulnerability	secondary_impact	T1070	Indicator Removal	Comments CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices. References https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html https://cybersecuritynews.com/hackers-exploiting-tp-link/ https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/
CVE-2023-1389	TP-Link Archer AX-21 Command Injection Vulnerability	secondary_impact	T1498	Network Denial of Service	Comments CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices. References https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html https://cybersecuritynews.com/hackers-exploiting-tp-link/ https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/
CVE-2023-1389	TP-Link Archer AX-21 Command Injection Vulnerability	primary_impact	T1496	Resource Hijacking	Comments CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices. References https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html https://cybersecuritynews.com/hackers-exploiting-tp-link/ https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/
CVE-2023-1389	TP-Link Archer AX-21 Command Injection Vulnerability	exploitation_technique	T1106	Native API	Comments CVE-2023-1389 is a command injection vulnerability in one of the API components within the TP-Link Archer router’s web management interface. Public reports have reported that multiple botnet malware under the Mirai variants, including Condi, are targeting these vulnerable devices. References https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread https://cybersecuritynews.com/hackers-exploiting-tp-link/ https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/