Is exploit code available for CVE-2023-33538?

Yes, proof-of-concept exploit code targeting this security flaw was previously published on GitHub, though it has since been removed from the platform. However, the exploit code remains 'widely available' through other online sources, significantly lowering the barrier for malicious actors to weaponize this vulnerability.

Are patches available for the affected TP-Link routers?

According to TP-Link, patched firmware addressing the vulnerability is available through their technical support platform for customers still using these legacy devices. However, since these are end-of-life products, ongoing security support is limited.

What should users do if they have an affected TP-Link router?

Users should immediately contact TP-Link technical support to obtain patched firmware for their specific model. However, TP-Link strongly recommends upgrading to supported router models that receive automatic security updates for ongoing protection against future vulnerabilities.

Why is this vulnerability particularly dangerous?

This vulnerability is particularly dangerous because it allows remote command execution without authentication, affects widely deployed end-of-life devices that don't receive regular security updates, has readily available exploit code, and is being actively exploited by attackers in the wild.

How can attackers exploit this vulnerability remotely?

Attackers can exploit this vulnerability by sending specially crafted HTTP GET requests to the vulnerable /userRpm/WlanNetworkRpm component, manipulating the ssid1 parameter to inject malicious commands that are then executed with system-level privileges on the router.

What does CISA recommend regarding these vulnerable routers?

CISA recommends that organizations identify and replace these end-of-life TP-Link router models immediately. Given the active exploitation and the discontinued status of these devices, replacement with supported hardware that receives regular security updates is the most effective long-term security strategy.

Advisory

CISA warns of active exploitation of discontinued TP-Link router models

Q: What is CVE-2023-33538 and why is CISA issuing an alert?

CVE-2023-33538 is a high-severity command injection vulnerability with a CVSS score of 8.8 affecting multiple discontinued TP-Link wireless router models. CISA has issued an alert because this vulnerability is being actively exploited by attackers in the wild.

Q: Which TP-Link router models are affected by CVE-2023-33538?

The vulnerability affects several popular TP-Link router models that have reached end-of-life status, including the TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. These models were discontinued between 2010 and 2018.

Q: Are these discontinued TP-Link routers still in use?

Yes, many of these devices are still widely deployed across both residential and commercial networks. Some models are even still available for purchase through major online retailers where they maintain thousands of positive customer reviews, despite being discontinued.

Q: When were these TP-Link router models discontinued?

The affected router models were discontinued between 2010 and 2018, meaning they no longer receive security updates or technical support from TP-Link. The company acknowledged that these models have been officially discontinued since 2017.

Q: What is TP-Link's response to CVE-2023-33538?

TP-Link stated that it provided fixes for this security flaw as early as 2018 through its technical support platform. The company encourages customers still using these legacy devices to contact technical support for patched firmware and strongly recommends upgrading to supported models that receive automatic security updates.

published: June 18, 2025

Take action: If you have old TP-Link routers (TL-WR940N, TL-WR841N, TL-WR740N models from 2010-2018), replace them immediately since they're discontinued, are actively exploited and there is even publicly available exploit code. If you can't replace right away, contact TP-Link support for emergency patches or isolate these devices from the internet until you can upgrade to a supported router model.

Learn More

CISA has issued an alert about active exploitation of a high-severity command injection vulnerability affecting multiple discontinued TP-Link wireless router models.

The security flaw is tracked as CVE-2023-33538 (CVSS score 8.8) - Command injection vulnerability. The vulnerability stems from inadequate input sanitization within the /userRpm/WlanNetworkRpm component of the affected routers. The flaw allows remote attackers to execute arbitrary system-level commands by submitting specially crafted HTTP GET requests that manipulate the ssid1 parameter.

It affects several popular TP-Link router models that have long reached their end-of-life status, including the TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. These models were discontinued between 2010 and 2018, meaning they no longer receive security updates or technical support from TP-Link.

Many of these devices are still widely deployed across both residential and commercial networks. Some models are even still available for purchase through major online retailers where they maintain thousands of positive customer reviews.

Proof-of-concept exploit code targeting this security flaw was previously published on GitHub, though it has since been removed from the platform. The exploit code remains "widely available" through other online sources, significantly lowering the barrier for malicious actors to weaponize this vulnerability.

TP-Link has responded to inquiries about the vulnerability by stating that it provided fixes for this security flaw as early as 2018 through its technical support platform. However, the company acknowledged that the affected router models have been officially discontinued since 2017. TP-Link encourages customers still using these legacy devices to contact technical support for patched firmware that addresses the vulnerability. The company strongly recommends upgrading to supported models that receive automatic security updates for ongoing protection.

CISA warns of active exploitation of discontinued TP-Link router models

Read More
Google patches actively exploited Chrome vulnerability
Netgear reports critical flaws in WiFi routers, advises …
'Leaky Vessels' flaws in multiple container engines expose …
Google releases new Chrome, patching a critical vulnerability
Adobe Issues Emergency Patch for Actively Exploited Acrobat …