When will organizations learn that unpatched network infrastructure represents one of cybersecurity’s most persistent vulnerabilities? Cybercriminals are actively exploiting CVE-2023-33538, a critical command injection flaw in TP-Link routers that allows attackers to execute arbitrary system commands through carefully crafted HTTP GET requests targeting the ssid1 parameter.
Unpatched network infrastructure remains cybersecurity’s most persistent vulnerability as cybercriminals actively exploit critical router flaws.
The vulnerability, carrying a CVSS score of 8.8, affects multiple router models including TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 through the /userRpm/WlanNetworkRpm component. Security researchers have documented global exploitation attempts, with U.S. federal systems among the targeted infrastructure.
Attackers utilize remote code execution capabilities to download malicious payloads, establish persistent access, and transform compromised devices into botnet components. CISA has added CVE-2023-33538 to its Known Exploited Vulnerabilities catalog, mandating federal agency remediation by July 7, 2025. The directive reflects growing concerns about compromised network infrastructure following documented attacks since January 2025.
Chinese state-sponsored groups, including Volt Typhoon, Salt Typhoon, and Flax Typhoon, have incorporated compromised routers into large-scale campaign infrastructure, though security analysts note these actors target multiple router brands rather than focusing exclusively on TP-Link devices.
Compromised routers present complex security risks extending beyond individual device compromise. Attackers frequently gain root access, allowing complete control over network traffic and device configuration. Hijacked routers serve as pivot points for internal network reconnaissance, data interception operations, and persistent surveillance activities.
Criminal organizations integrate compromised devices into botnets, facilitating distributed denial-of-service attacks and supporting both cybercriminal and nation-state operations. The vulnerability’s impact is heightened by widespread deployment across home and business environments, with many affected models approaching end-of-life status.
Previous incidents involving similar command injection flaws, such as CVE-2024-21833, demonstrate recurring security challenges within TP-Link router series. Organizations operating vulnerable devices face potential access to operational technology systems, greatly expanding attack surfaces. The company maintains Vietnam manufacturing operations for its routers while managing R&D functions from its U.S. headquarters. The Department of Commerce has opened a probe into TP-Link amid concerns over potential exploitation by PRC threat actors and compliance with Chinese data sharing laws.
Security professionals stress immediate firmware updates or device replacement for unsupported models, as compromised routers allow attackers to launch subsequent attacks against both internal networks and external targets.
