TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal

Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry. 

Both teams’ entries were successful at the contest, and the vulnerabilities were disclosed to the vendor. Interestingly, the bug was also used by the Tenable team in their unsuccessful Pwn2Own attempt against the device. They, too, disclosed the bug to TP-Link, but their public report did not show that the bug could be exploited on the WAN interface. TP-Link released a firmware update in March that “Fixed some security issues” – including this and other CVEs. It was after this fix was made public that exploit attempts using this CVE were detected in the wild.

Vulnerability Details 

The bug itself is an unauthenticated command injection vulnerability in the locale API available via the web management interface. This endpoint allows a user to specify the form we want to call by specifying the query string form along with an operation, which is usually read or write. In this instance, we are interested in the write operation on the country form, which is handled by the set_country function. This function will call merge_config_by_country that concatenates the specified country field into a command string. This command string will be executed using the popen function. There is no sanitization of the country field, so an attacker can achieve command injection at this point.

This functionality is exposed on the LAN side of the router, as evidenced by both Team Viettel and Tenable targeting this functionality at the contest. However, the team from Qrious Security was able to exploit this vulnerability on the WAN interface of the router. They discovered a race condition issue related to iptable handling on the TP-Link’s WAN-side processing that would briefly expose this functionality on the WAN-side. This allowed them to chain the race condition weakness with the locale API command injection to gain code execution at the contest. According to TP-Link, both issues were resolved in the patch released on March 17.

Active Exploitation Details

Starting on April 11th, we began seeing notifications from our telemetry system that a threat actor had started to publicly exploit this vulnerability. You can see an example of the attack here:

Most of the initial activity was seen attacking devices in Eastern Europe, but we are now observing detections in other locations around the globe.

Mirai Payloads

In this version of Mirai, the attackers utilize CVE-2023-1389 to make an HTTP request to the Mirai command and control (C2) servers to download and execute a series of binary payloads. These binary payloads are intended for various system architectures. This is one such request:

The binary payloads are downloaded and then executed using brute-force methodology to find the appropriate payload for the target system architecture.

Once the appropriate binary is found and the payload is installed, the host becomes fully infected and establishes a connection with the Mirai C2. Here’s a network trace showing this connection:

While analyzing some of the payloads, we determined that the threat actors are encrypting strings using 0x00 and 0x22 as XOR keys. Unencrypting these strings revealed some of the capabilities and configuration details that correspond with known Mirai indicators.

Part of the plaintext configuration reveals the Mirai bot attack functions, which can be found in Mirai’s source code. For example:

Among the interesting functions is a TSource Engine Query attack functionality. This can be used to launch a Valve Source Engine (VSE) distributed denial-of-service (DDoS) attack against game servers.

The unencrypted strings reveal further configuration details about this Mirai bot. These include specific User-Agent strings and server headers, such as cloudflare-nginx and dosarrest. These allow the bot to imitate legitimate traffic, making it more difficult to separate DDoS traffic from legitimate network traffic.

Indicators of compromise

The following hashes and other data were detected as being used by this exploit:
Initial Downloader




IP Address


Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing “time-to-exploit” speed that we continue to see across the industry. That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in an enterprise. Looking back at this CVE, it was also interesting to see it being discovered independently by multiple teams in preparation for the Pwn2Own Toronto contest. Each team used different techniques to discover this vulnerability along with distinctive approaches to how they went about exploiting it. We would like to thank all the teams at the Pwn2Own contest for finding and disclosing these critical-class issues. It truly demonstrates the value of the contest, especially in the realm of home and small office devices. Finally, we would like to acknowledge the efforts TP-Link exhibited in developing and deploying a patch. Applying this patch is the only recommended action to address this vulnerability, and we recommend all users of the TP-Link Archer AX21 Wi-Fi router apply it as soon as possible.

Our threat hunting team continues to seek and find exploits being used in the wild, and we’ll publish details on some of these discoveries in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

   Blog post Zero Day Initiative – Blog 

More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.