1. Home
  2. Vulnerabilities
  3. CVE-2023-1389
Known Exploited Vulnerability
8.8
HIGH CVSS 3.1
CVE-2023-1389
TP-Link Archer AX-21 Command Injection Vulnerability - [Actively Exploited]
Description

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

INFO

Published Date :

March 15, 2023, 11:15 p.m.

Last Modified :

March 19, 2025, 8:57 p.m.

Remotely Exploit :

No

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Required Action :

Apply updates per vendor instructions.

Notes :

https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware; https://nvd.nist.gov/vuln/detail/CVE-2023-1389

Affected Products

The following products are affected by CVE-2023-1389 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Tp-link archer_ax21_firmware
2 Tp-link archer_ax21
: Total Affected Vendor : 1 | Products : 2
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
This information is provided by the 3rd party feeds.
  • Update firmware in accordance with vendor advisory.
Public PoC/Exploit Available at Github

CVE-2023-1389 has a 14 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-1389.

URL Resource
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2023-11 Exploit Third Party Advisory
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2023-11 Exploit Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-1389 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-1389 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
AzhariRamadhan/CVE-tplink-cp210-Command-Injection

None

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Aug. 6, 2025, 2:31 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
zulloper/cve-poc

CVE POC repo 자동 수집기

Python

Updated: 16 hours, 57 minutes ago
3 stars 1 fork 1 watcher
Born at : June 8, 2025, 3:07 p.m. This repo has been linked 155 different CVEs too.
Profile Photo
ibrahimsql/CVE2023-1389

TP-Link Archer AX21 Command Injection Exploit (CVE-2023-1389) This script exploits a command injection vulnerability in TP-Link Archer AX21 routers through the unvalidated 'country' parameter in the web interface. It allows unauthenticated attackers to execute arbitrary commands with root privileges.

Python

Updated: 5 months, 2 weeks ago
1 stars 0 fork 0 watcher
Born at : April 26, 2025, 9:21 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
ohnahee/CVE_2023_1389_poc

None

Dockerfile Python

Updated: 5 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : April 17, 2025, 8:46 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
plzheheplztrying/cve_monitor

None

HTML Python Shell

Updated: 3 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Feb. 13, 2025, 8:50 a.m. This repo has been linked 891 different CVEs too.
Profile Photo
infcodev/pentesting_scripts

None

Python Shell

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Feb. 6, 2025, 8:03 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
BrandonFanti/FoWL

Fog of War Listener - a network traffic inspection and injection tool.

Python Shell

Updated: 8 months, 3 weeks ago
3 stars 1 fork 1 watcher
Born at : July 29, 2024, 6:33 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
DinoBytes/RVASec-2024-Consumer-Routers-Still-Suck

Slides and other reference material for RVASec 2024 presentation

Updated: 1 year, 3 months ago
4 stars 0 fork 0 watcher
Born at : May 31, 2024, 8:23 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
ahisec/nuclei-tps

nuclei templates

Updated: 3 months, 2 weeks ago
13 stars 5 fork 5 watcher
Born at : May 8, 2024, 5:41 a.m. This repo has been linked 7 different CVEs too.
Profile Photo
Co5mos/nuclei-tps

nuclei templates, poc/exp

Updated: 6 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : Feb. 4, 2024, 2:40 a.m. This repo has been linked 12 different CVEs too.
Profile Photo
werwolfz/CVE-2023-1389

TP-Link Archer AX21 - Unauthenticated Command Injection [Loader]

Go

Updated: 1 year, 9 months ago
0 stars 2 fork 2 watcher
Born at : Dec. 25, 2023, 11:40 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Terminal1337/CVE-2023-1389

TP-Link Archer AX21 - Unauthenticated Command Injection [Loader]

Go

Updated: 1 year, 4 months ago
12 stars 3 fork 3 watcher
Born at : Sept. 9, 2023, 3:53 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
Voyag3r-Security/CVE-2023-1389

None

Python

Updated: 5 months, 3 weeks ago
11 stars 5 fork 5 watcher
Born at : July 28, 2023, 3:09 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Ostorlab/KEV

Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

cisa-kev vulnerability 0day cisa exploits

Updated: 3 days, 3 hours ago
588 stars 42 fork 42 watcher
Born at : April 19, 2022, 8:58 a.m. This repo has been linked 1290 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-1389 vulnerability anywhere in the article.

  • The Hacker News
Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors

Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors. The activity, described as akin to an "exploit sh ... Read more

Published Date: Oct 13, 2025 (6 hours, 54 minutes ago)
  • CybersecurityNews
RondoDox Botnet Exploits 50+ Vulnerabilities to Attack Routers, CCTV Systems and Web Servers

Since its emergence in early 2025, RondoDox has rapidly become one of the most pervasive IoT-focused botnets in operation, targeting a wide range of network-connected devices—from consumer routers to ... Read more

Published Date: Oct 10, 2025 (3 days, 3 hours ago)
  • Daily CyberSecurity
RondoDox Botnet Unleashed: New Malware Uses ‘Exploit Shotgun’ to Target 50+ Router and IoT Flaws

Trend Micro has uncovered a rapidly expanding botnet campaign dubbed RondoDox, which is targeting a wide spectrum of internet-exposed devices — from routers and DVRs to CCTV systems and industrial net ... Read more

Published Date: Oct 10, 2025 (3 days, 15 hours ago)
  • BleepingComputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks

A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions. The attacker focuses on ... Read more

Published Date: Oct 09, 2025 (3 days, 23 hours ago)
  • Trend Micro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits

Cyber Threats Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen i ... Read more

Published Date: Oct 09, 2025 (4 days, 17 hours ago)
  • Daily CyberSecurity
TP-Link NVR Update: Command Injection Flaws Expose Devices to Remote Code Execution

TP-Link has issued a security advisory warning users of two critical operating system command injection vulnerabilities affecting its VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 network video record ... Read more

Published Date: Jul 24, 2025 (2 months, 2 weeks ago)
  • Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the M ... Read more

Published Date: Jun 10, 2025 (4 months ago)
  • The Register
Critical Wazuh bug exploited in growing Mirai botnet infection

Cybercriminals are trying to spread multiple Mirai variants by exploiting a critical Wazuh vulnerability, researchers say – the first reported active attacks since the code execution bug was disclosed ... Read more

Published Date: Jun 10, 2025 (4 months ago)
  • Cyber Security News
Critical Wazuh Server RCE Vulnerability Exploited to Deploy Mirai Variants

Security researchers at Akamai have discovered active exploitation of a critical remote code execution vulnerability in Wazuh servers, marking the first reported in-the-wild attacks against the open-s ... Read more

Published Date: Jun 09, 2025 (4 months ago)
  • Daily CyberSecurity
Critical Wazuh RCE (CVE-2025-24016) Actively Exploited by Mirai Botnets

Akamai’s Security Intelligence and Response Team (SIRT) has uncovered active exploitation of CVE-2025-24016, a critical remote code execution (RCE) vulnerability in Wazuh servers, by multiple Mirai-ba ... Read more

Published Date: Jun 09, 2025 (4 months ago)
  • The Hacker News
Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) at ... Read more

Published Date: Jun 09, 2025 (4 months ago)
  • Daily CyberSecurity
Stored XSS Flaw in TP-Link WR841N Routers Could Expose Admin Credentials (CVE-2025-25427)

A security vulnerability has been identified in TP-Link WR841N routers, posing a risk to users. The vulnerability is a stored cross-site scripting (XSS) flaw found in the “upnp.htm” page of the web in ... Read more

Published Date: Apr 23, 2025 (5 months, 2 weeks ago)
  • BleepingComputer
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IA ... Read more

Published Date: Apr 09, 2025 (6 months ago)
  • Cyber Security News
Routers Under Attack – Attacks Scanning for IoT & Routers at Record High

Vulnerability scanning attacks targeting internet-connected devices have surged dramatically over the past year. According to recent data compiled by F5 Labs in their February 2025 Sensor Intel Series ... Read more

Published Date: Mar 04, 2025 (7 months, 1 week ago)
  • security.nl
Tien jaar oude digitale videorecorder DigiEver doelwit van Mirai-botnet

Een tien jaar oude digitale videorecorder van fabrikant DigiEver is het doelwit van een op de Mirai-malware gebaseerd botnet. Er is op dit moment geen beveiligingsupdate beschikbaar voor de kwetsbaarh ... Read more

Published Date: Dec 25, 2024 (9 months, 2 weeks ago)
  • BleepingComputer
New botnet exploits vulnerabilities in NVRs, TP-Link routers

A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs. The campaign start ... Read more

Published Date: Dec 24, 2024 (9 months, 2 weeks ago)
  • Cybersecurity News
DigiEver DVR Vulnerability Under Attack by Hail Cock Botnet

Akamai Security Intelligence Research Team (SIRT) has uncovered a vulnerability in DigiEver DS-2105 Pro DVRs is being actively exploited by the Hail Cock botnet, a Mirai variant enhanced with modern e ... Read more

Published Date: Dec 23, 2024 (9 months, 2 weeks ago)
  • Dark Reading
US Ban on TP-Link Routers More About Politics Than Exploitation Risk

Source: metamorworks via ShutterstockWith US government agencies and lawmakers reportedly considering a ban on TP-Link's products in the United States, one might think the company would rank high on t ... Read more

Published Date: Dec 20, 2024 (9 months, 3 weeks ago)
  • Cybersecurity News
PoC Confirms Root Privilege Exploit in TP-Link Archer AXE75 Vulnerability (CVE-2024-53375)

A newly discovered vulnerability in the TP-Link Archer AXE75 router, tracked as CVE-2024-53375, could allow remote attackers to execute arbitrary commands on vulnerable devices. This critical flaw, id ... Read more

Published Date: Dec 04, 2024 (10 months, 1 week ago)
  • Cybersecurity News
XorBot Botnet Resurfaces with Advanced Evasion and Exploits, Threatens IoT Devices

NSFOCUS has identified a resurgence of the XorBot botnet, a potent threat to Internet of Things (IoT) devices worldwide. First observed in late 2023, XorBot has evolved significantly, introducing adva ... Read more

Published Date: Nov 28, 2024 (10 months, 2 weeks ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2023-1389 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Mar. 19, 2025

    Action Type Old Value New Value
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jan. 28, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-77
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html
    Added Reference https://www.tenable.com/security/research/tra-2023-11
  • Modified Analysis by [email protected]

    Jun. 27, 2024

    Action Type Old Value New Value
    Changed Reference Type http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html No Types Assigned http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html Exploit, Third Party Advisory, VDB Entry
    Changed CPE Configuration AND OR cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:* OR *cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.1.4 AND OR *cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.1.4 OR cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Aug. 11, 2023

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html [No Types Assigned]
  • Initial Analysis by [email protected]

    Mar. 21, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://www.tenable.com/security/research/tra-2023-11 No Types Assigned https://www.tenable.com/security/research/tra-2023-11 Exploit, Third Party Advisory
    Added CWE NIST CWE-77
    Added CPE Configuration AND OR *cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.1.4 OR cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 8.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

93.91 }} 0.09%

score

0.99869

percentile