"A New Mirai Botnet Variant Targets TP-Link Archer A21"

The Zero Day Initiative (ZDI) threat-hunting team observed the Mirai botnet attempting to exploit a vulnerability, tracked as CVE-2023-1389 with a CVSS score of 8.8, also known as ZDI-CAN-19557/ZDI-23-451 in TP-Link Archer AX21 Wi-Fi routers. The flaw is an unauthenticated command injection vulnerability in the locale Application Programming Interface (API) of the web management interface used in the TP-Link Archer AX21 router. The cause of the problem is the lack of input sanitization in the locale API managing the router's language settings. As a result, a remote attacker can trigger the issue to inject commands that should be executed on the device. The vulnerability was disclosed to ZDI for the first time during Pwn2Own Toronto 2022. Team Viettel and Qrious Security reported exploits for LAN and WAN interface accesses. TP-Link released a firmware update in March to fix multiple vulnerabilities, including CVE-2023-1389. ZDI reported that threat actors began exploiting the vulnerability after the public release of the fix, with initial attacks focusing on Eastern Europe. Threat actors are exploiting the vulnerability by sending a specially crafted request to the router that includes a command payload as part of the country parameter. Then, the attackers send a second request that causes the command to be executed. This article continues to discuss a new Mirai botnet variant exploiting the ZDI-CAN-19557/ZDI-23-451 vulnerability in TP-Link Archer AX21 Wi-Fi routers. 

Security Affairs reports "A New Mirai Botnet Variant Targets TP-Link Archer A21"