TP-Link Archer WiFi router flaw exploited by Mirai malware

The Mirai malware botnet is actively exploiting a TP-Link Archer A21 (AX1800) WiFi router vulnerability tracked as CVE-2023-1389 to incorporate devices into DDoS (distributed denial of service) swarms.

Researchers first abused the flaw during the  hacking event in December 2022, where two separate hacking teams breached the device using different pathways ( and  interface access).

The flaw was  in January 2023, with TP-Link  last month in a new firmware update.

The exploitation attempts in the wild was detected by the  (ZDI) starting last week, initially focusing on Eastern Europe and spreading worldwide.

Exploited by Mirai botnet

The CVE-2023-1389 vulnerability is a high-severity (CVSS v3: 8.8) unauthenticated command injection flaw in the locale API of the web management interface of the TP-Link Archer AX21 router.

The source of the problem is the lack of input sanitization in the locale API that manages the router’s language settings, which does not validate or filter what it receives. This allows remote attackers to inject commands that should be executed on the device.

Hackers can exploit the flaw by sending a specially crafted request to the router that contains a command payload as part of the country parameter, followed by a second request that triggers the execution of the command.

The first signs of in-the-wild exploitation became evident on April 11, 2023, and the malicious activity is now detected globally.

Malicious POST request
Malicious POST request (ZDI)

ZDI reports that a new version of the Mirai malware botnet now exploits the vulnerability to gain access to the device. It then downloads the appropriate binary payload for the router’s architecture to recruit the device into its botnet.

The particular version of Mirai is focused on launching DDoS attacks, and its features indicate that it focuses primarily on game servers, having the ability to launch attacks against Valve Source Engine (VSE).

TSource Engine Query attack functionality
TSource Engine Query attack functionality (ZDI)

Another interesting aspect of this new malware version is that it can mimic legitimate network traffic, making it harder for DDoS mitigation solutions to distinguish between malicious and legitimate traffic to reject the garbage traffic effectively.

Mixing legitimate-appearing traffic with garbage requests
Mixing legitimate-appearing traffic with garbage requests (ZDI)

TP-Link fix

TP-Link first attempted to address the problem on February 24, 2023, but and did not prevent exploitation.

Finally, the network equipment maker published a firmware update that addresses the risk of CVE-2023-1389 on March 14, 2023, with version 1.1.4 Build 20230219.

Owners of the Archer AX21 AX1800 dual-band WiFi 6 router can download the latest firmware update for their device’s hardware version .

Signs of an infected TP-Link router include device overheating, internet disconnections, inexplicable changes on the device’s network settings, and resetting of admin user passwords.