CVE-2023-1389

Vulnerability updated 2 months ago (2024-06-25T18:17:40.310Z)

Download STIX

Preview STIX

CVE-2023-1389 is a significant software vulnerability, specifically a command injection flaw, found in TP-Link Archer AX21 routers. The flaw was publicly released in March of this year and has since been exploited by malicious actors to gain unauthorized access to devices. Attack traffic through these compromised devices has been observed, indicating an active exploitation of the vulnerability. Recent attacks have shown that a new variant of the Mirai botnet is exploiting this vulnerability to hijack devices. Additionally, Fortinet has reported that IZ1H9, another malicious actor, has added exploits for CVE-2023-1389 among other vulnerabilities impacting different routers and devices. This highlights the widespread use of this flaw by various threat actors to compromise systems and further their malicious activities. The malware, known as the Condi DDoS bot, has been observed exploiting CVE-2023-1389 to infect TP-Link Archer AX21 routers. Reports indicate that this remote code execution vulnerability is being actively exploited in the wild, posing a significant security risk to users of the affected routers. Users are advised to update their devices with the latest patches to mitigate this vulnerability and protect their systems from potential cyber threats.

Description last updated: 2024-06-25T18:16:16.039Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Botnet

Malware

Exploit

flaw

exploited

Remote Code ...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Mirai Botnet	Unspecified	6	The Mirai botnet is a type of malware, specifically designed to exploit and damage computer systems. It infiltrates these systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold yo
Mirai	Unspecified	6	Mirai is a type of malware that specifically targets Internet of Things (IoT) devices such as smart speakers, cameras, and connected home equipment. It exploits weak Telnet (port 23) and SSH (port 22) credentials to gain control over these devices. Once infected, these devices are then incorporated
Condi	Unspecified	5	The Condi botnet, a variant of the Mirai malware, was first observed exploiting unpatched TP-Link routers through the vulnerability CVE-2023-1389. This was initially disclosed by FortiGuard Labs in 2023, and they noted that this malicious software was being used for distributed denial-of-service (DD
Gafgyt Variant	Unspecified	2	The Gafgyt variant is a malicious software that poses a significant threat to computer systems and devices. This malware can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information,
Gafgyt	Unspecified	2	Gafgyt, also known as Bashlite, is a type of malware that targets Linux architecture operating systems with the primary intent to launch distributed denial of service (DDoS) attacks. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and upon entry,
Agoent	Unspecified	2	AGoent is a sophisticated malware, a malicious software designed to exploit and damage computer systems. This Golang-based agent bot has been observed in multiple attacks, exploiting a year-old vulnerability to launch various nefarious activities. It operates by fetching the script file "exec.sh" fr

Source Document References

Information about the CVE-2023-1389 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 months ago	Cyber Attackers Turn to Cloud Services to Deploy Malware
Fortinet	2 months ago	The Growing Threat of Malware Concealed Behind Cloud Services \| FortiGuard Labs
BankInfoSecurity	5 months ago	Exploited TP-Link Vulnerability Spawns Botnet Threats
DARKReading	5 months ago	Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks
Fortinet	5 months ago	Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread \| FortiGuard Labs
Fortinet	6 months ago	Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 \| FortiGuard Labs
SANS ISC	7 months ago	Mirai-Mirai On The Wall... [Guest Diary] - SANS Internet Storm Center
SANS ISC	9 months ago	Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today - SANS Internet Storm Center
SANS ISC	10 months ago	CVE-2023-1389: A New Means to Expand Botnets - SANS Internet Storm Center
CERT-EU	10 months ago	CVE-2023-1389: A New Means to Expand Botnets, (Wed, Nov 22nd) – Cybersafe NV
Securityaffairs	a year ago	Mirai-based botnet IZ1H9 added 13 payloads to target routers
CERT-EU	a year ago	IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits \| FortiGuard Labs
CERT-EU	a year ago	Mirai reloads exploit arsenal before latest expansion drive
CERT-EU	a year ago	Mirai DDoS malware variant expands targets with 13 router exploits
CERT-EU	a year ago	Mirai Variant IZ1H9 Adds 13 Exploits to Arsenal
Fortinet	a year ago	IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits \| FortiGuard Labs
CERT-EU	a year ago	Heimdal®’s Semiannual Rundown of the Most Exploited Vulnerabilities of 2023
Securityaffairs	a year ago	Multiple DDoS botnets were observed targeting Zyxel devices
CERT-EU	a year ago	Several bugs added to CISA vulnerability catalog
CERT-EU	a year ago	In Other News: Microsoft Win32 App Isolation,Tsunami Hits Linux Servers, ChatGPT Credentials Exposed on Dark Web