Don't miss our Quarterly Roadmap Showcase, Thursday, October 24
Multiple security research teams discovered CVE-2023-1389 while preparing for the Pwn2Own hacking competition in Toronto, which was held in early 2023. The vulnerability is caused by inadequate input sanitization in the /cgi-bin/luci endpoint, which manages locale settings. An attacker who is not authenticated can exploit this vulnerability to execute remote code on impacted routers.
Due to the widespread use of TP-Link routers in homes and businesses globally, CVE-2023-1389 posed a major threat. While exploitation attempts were not immediately observed, the high accessibility of vulnerable devices made large-scale attacks feasible. The vulnerability received a CVSS v3 base score of 9.8 out of 10, reflecting its critical severity.
Exploitation attempts targeting CVE-2023-1389 began shortly after TP-Link released firmware patches in February 2023. Various malicious actors, including botnet operators, quickly incorporated the vulnerability into their arsenal.
By April 2023, the infamous Mirai IoT botnet had added modules to spread via CVE-2023-1389. Over the next few months, newer botnets like Condi also started leveraging the vulnerability. These botnets can leverage compromised routers to conduct DDoS attacks, mine cryptocurrency, and more. So, while TP-Link addressed the vulnerability, the integration into attacker toolkits means it can still serve as an infection vector.
Several TP-Link routers are vulnerable and still not updated, exposing them to compromise. Plus, sophisticated botnets have now integrated exploitation capabilities into their codebase, which means that outdated devices can be compromised for expanding botnets. And, as can be seen in the GreyNoise activity graph, attackers have been focusing more intently on this vulnerability towards the latter half of 2023.
Months after disclosure, CVE-2023-1389 remains an active threat for unpatched devices. Defenders should pay specific attention to any exploitation attempts that target CVE-2023-1389 and monitor their network accordingly. Implementing firewall rules can also help mitigate attacks against any lingering vulnerable devices.
