- CISA Flag’s security question affecting multiple TP-Link models
- It allows threat actors to perform arbitrary system level commands
- Affected models have all reached the end of life so it needs to be replaced anyway
Several TP-Link routers who have long reached the status of the end of life (EOL) are abused in real life, the US government warns.
The US Cyber Security and Infrastructure Security Agency (CISA) has added a command injection vulnerability to its known utilized vulnerabilities (KEV) catalog, signaling abuse in nature.
A vulnerability of command injection allows threat actors to perform arbitrary system-level commands on a server by utilizing incorrect disinfected user input.
Popular routers
In this case, the error is traced as CVE-2023-33538 and has a severity of 8.8/10 (high). It affects several models, including TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10 and TL-WR740N V1/V2.
All of these models reached their EOL long ago – between 2010 and 2018. This means they no longer receive updates and that TP -Link does not address command injection vulnerability mentioned above.
Usually, when an error is added to KEV, the federal civilian executive branch (FCCEB) has agencies three weeks to apply the patch. Since in this case there is no patch, users are encouraged to replace old hardware with newer versions. The deadline for ending the removal is July 7, 2025.
Most OEMs advise this for all the equipment that reached life status, both hardware and software.
Despite being a decade old, these devices are still quite popular – as cheese can still be bought on Amazon, where one of the models has more than 9,000 positive reviews, and another has more than 77,000 reviews and ranks well among other similar routers.
“Users need to disconnect product utilization,” Cisa warned on its website.
Proof-of-concept utilization is “widely available” online, Cygenerws Noticed that highlighting these types of deficiencies is most dangerous on publicly exposed routers with remote access functions. This does not mean that they cannot be utilized within the same local network.
