1. Home
  2. Vulnerabilities
  3. CVE-2023-1389
Known Exploited Vulnerability
8.8
HIGH CVSS 3.1
CVE-2023-1389
TP-Link Archer AX-21 Command Injection Vulnerability - [Actively Exploited]
Description

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

INFO

Published Date :

March 15, 2023, 11:15 p.m.

Last Modified :

March 19, 2025, 8:57 p.m.

Remotely Exploit :

No

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Required Action :

Apply updates per vendor instructions.

Notes :

https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware; https://nvd.nist.gov/vuln/detail/CVE-2023-1389

Affected Products

The following products are affected by CVE-2023-1389 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Tp-link archer_ax21_firmware
2 Tp-link archer_ax21
: Total Affected Vendor : 1 | Products : 2
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
This information is provided by the 3rd party feeds.
  • Update firmware in accordance with vendor advisory.
Public PoC/Exploit Available at Github

CVE-2023-1389 has a 13 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-1389.

URL Resource
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2023-11 Exploit Third Party Advisory
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html Exploit Third Party Advisory VDB Entry
https://www.tenable.com/security/research/tra-2023-11 Exploit Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-1389 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-1389 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
AzhariRamadhan/CVE-tplink-cp210-Command-Injection

None

Updated: 3 weeks, 1 day ago
0 stars 0 fork 0 watcher
Born at : Aug. 6, 2025, 2:31 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
zulloper/cve-poc

CVE POC repo 자동 수집기

Python

Updated: 1 day, 16 hours ago
0 stars 1 fork 1 watcher
Born at : June 8, 2025, 3:07 p.m. This repo has been linked 126 different CVEs too.
Profile Photo
ibrahimsql/CVE2023-1389

TP-Link Archer AX21 Command Injection Exploit (CVE-2023-1389) This script exploits a command injection vulnerability in TP-Link Archer AX21 routers through the unvalidated 'country' parameter in the web interface. It allows unauthenticated attackers to execute arbitrary commands with root privileges.

Python

Updated: 4 months ago
1 stars 0 fork 0 watcher
Born at : April 26, 2025, 9:21 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
ohnahee/CVE_2023_1389_poc

None

Dockerfile Python

Updated: 4 months ago
0 stars 0 fork 0 watcher
Born at : April 17, 2025, 8:46 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
plzheheplztrying/cve_monitor

None

HTML Python Shell

Updated: 1 month, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 13, 2025, 8:50 a.m. This repo has been linked 891 different CVEs too.
Profile Photo
BrandonFanti/FoWL

Fog of War Listener - a network traffic inspection and injection tool.

Python Shell

Updated: 7 months, 1 week ago
3 stars 1 fork 1 watcher
Born at : July 29, 2024, 6:33 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
DinoBytes/RVASec-2024-Consumer-Routers-Still-Suck

Slides and other reference material for RVASec 2024 presentation

Updated: 1 year, 2 months ago
4 stars 0 fork 0 watcher
Born at : May 31, 2024, 8:23 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
ahisec/nuclei-tps

nuclei templates

Updated: 2 months ago
13 stars 5 fork 5 watcher
Born at : May 8, 2024, 5:41 a.m. This repo has been linked 7 different CVEs too.
Profile Photo
Co5mos/nuclei-tps

nuclei templates, poc/exp

Updated: 4 months, 3 weeks ago
1 stars 0 fork 0 watcher
Born at : Feb. 4, 2024, 2:40 a.m. This repo has been linked 12 different CVEs too.
Profile Photo
werwolfz/CVE-2023-1389

TP-Link Archer AX21 - Unauthenticated Command Injection [Loader]

Go

Updated: 1 year, 8 months ago
0 stars 2 fork 2 watcher
Born at : Dec. 25, 2023, 11:40 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Terminal1337/CVE-2023-1389

TP-Link Archer AX21 - Unauthenticated Command Injection [Loader]

Go

Updated: 1 year, 2 months ago
12 stars 3 fork 3 watcher
Born at : Sept. 9, 2023, 3:53 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
Voyag3r-Security/CVE-2023-1389

None

Python

Updated: 4 months ago
11 stars 5 fork 5 watcher
Born at : July 28, 2023, 3:09 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Ostorlab/KEV

Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

cisa-kev vulnerability 0day cisa exploits

Updated: 2 weeks, 6 days ago
581 stars 42 fork 42 watcher
Born at : April 19, 2022, 8:58 a.m. This repo has been linked 1287 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-1389 vulnerability anywhere in the article.

  • Daily CyberSecurity
TP-Link NVR Update: Command Injection Flaws Expose Devices to Remote Code Execution

TP-Link has issued a security advisory warning users of two critical operating system command injection vulnerabilities affecting its VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 network video record ... Read more

Published Date: Jul 24, 2025 (1 month ago)
  • Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the M ... Read more

Published Date: Jun 10, 2025 (2 months, 2 weeks ago)
  • The Register
Critical Wazuh bug exploited in growing Mirai botnet infection

Cybercriminals are trying to spread multiple Mirai variants by exploiting a critical Wazuh vulnerability, researchers say – the first reported active attacks since the code execution bug was disclosed ... Read more

Published Date: Jun 10, 2025 (2 months, 2 weeks ago)
  • Cyber Security News
Critical Wazuh Server RCE Vulnerability Exploited to Deploy Mirai Variants

Security researchers at Akamai have discovered active exploitation of a critical remote code execution vulnerability in Wazuh servers, marking the first reported in-the-wild attacks against the open-s ... Read more

Published Date: Jun 09, 2025 (2 months, 2 weeks ago)
  • Daily CyberSecurity
Critical Wazuh RCE (CVE-2025-24016) Actively Exploited by Mirai Botnets

Akamai’s Security Intelligence and Response Team (SIRT) has uncovered active exploitation of CVE-2025-24016, a critical remote code execution (RCE) vulnerability in Wazuh servers, by multiple Mirai-ba ... Read more

Published Date: Jun 09, 2025 (2 months, 2 weeks ago)
  • The Hacker News
Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) at ... Read more

Published Date: Jun 09, 2025 (2 months, 2 weeks ago)
  • Daily CyberSecurity
Stored XSS Flaw in TP-Link WR841N Routers Could Expose Admin Credentials (CVE-2025-25427)

A security vulnerability has been identified in TP-Link WR841N routers, posing a risk to users. The vulnerability is a stored cross-site scripting (XSS) flaw found in the “upnp.htm” page of the web in ... Read more

Published Date: Apr 23, 2025 (4 months ago)
  • BleepingComputer
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials

A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IA ... Read more

Published Date: Apr 09, 2025 (4 months, 2 weeks ago)
  • Cyber Security News
Routers Under Attack – Attacks Scanning for IoT & Routers at Record High

Vulnerability scanning attacks targeting internet-connected devices have surged dramatically over the past year. According to recent data compiled by F5 Labs in their February 2025 Sensor Intel Series ... Read more

Published Date: Mar 04, 2025 (5 months, 3 weeks ago)
  • security.nl
Tien jaar oude digitale videorecorder DigiEver doelwit van Mirai-botnet

Een tien jaar oude digitale videorecorder van fabrikant DigiEver is het doelwit van een op de Mirai-malware gebaseerd botnet. Er is op dit moment geen beveiligingsupdate beschikbaar voor de kwetsbaarh ... Read more

Published Date: Dec 25, 2024 (8 months ago)
  • BleepingComputer
New botnet exploits vulnerabilities in NVRs, TP-Link routers

A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs. The campaign start ... Read more

Published Date: Dec 24, 2024 (8 months ago)
  • Cybersecurity News
DigiEver DVR Vulnerability Under Attack by Hail Cock Botnet

Akamai Security Intelligence Research Team (SIRT) has uncovered a vulnerability in DigiEver DS-2105 Pro DVRs is being actively exploited by the Hail Cock botnet, a Mirai variant enhanced with modern e ... Read more

Published Date: Dec 23, 2024 (8 months ago)
  • Dark Reading
US Ban on TP-Link Routers More About Politics Than Exploitation Risk

Source: metamorworks via ShutterstockWith US government agencies and lawmakers reportedly considering a ban on TP-Link's products in the United States, one might think the company would rank high on t ... Read more

Published Date: Dec 20, 2024 (8 months, 1 week ago)
  • Cybersecurity News
PoC Confirms Root Privilege Exploit in TP-Link Archer AXE75 Vulnerability (CVE-2024-53375)

A newly discovered vulnerability in the TP-Link Archer AXE75 router, tracked as CVE-2024-53375, could allow remote attackers to execute arbitrary commands on vulnerable devices. This critical flaw, id ... Read more

Published Date: Dec 04, 2024 (8 months, 3 weeks ago)
  • Cybersecurity News
XorBot Botnet Resurfaces with Advanced Evasion and Exploits, Threatens IoT Devices

NSFOCUS has identified a resurgence of the XorBot botnet, a potent threat to Internet of Things (IoT) devices worldwide. First observed in late 2023, XorBot has evolved significantly, introducing adva ... Read more

Published Date: Nov 28, 2024 (9 months ago)
  • The Hacker News
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

IoT Security / Vulnerability The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying th ... Read more

Published Date: Nov 08, 2024 (9 months, 2 weeks ago)
  • Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities

CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilit ... Read more

Published Date: Nov 07, 2024 (9 months, 3 weeks ago)
  • The Hacker News
New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries

Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that is a variant of the leaked Mirai botnet source code. Cybersecurity firm NSFOCUS, which identi ... Read more

Published Date: Oct 07, 2024 (10 months, 3 weeks ago)
  • Cybersecurity News
CVE-2024-42815 (CVSS 9.8): Buffer Overflow Flaw in TP-Link Routers Opens Door to RCE

A critical vulnerability has been found in TP-Link RE365 V1_180213 series routers, leaving them susceptible to remote exploitation and potential takeover. Identified as CVE-2024-42815 and carrying a n ... Read more

Published Date: Aug 30, 2024 (11 months, 4 weeks ago)
  • Cybersecurity News
Mirai Botnet Exploits Zero-Day Vulnerability CVE-2024-7029 in AVTECH IP Cameras

Akamai’s Security Intelligence Response Team (SIRT) has discovered a widespread Mirai botnet campaign exploiting a recently disclosed zero-day vulnerability (CVE-2024-7029) in AVTECH IP cameras. The v ... Read more

Published Date: Aug 29, 2024 (11 months, 4 weeks ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2023-1389 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Mar. 19, 2025

    Action Type Old Value New Value
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jan. 28, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-77
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html
    Added Reference https://www.tenable.com/security/research/tra-2023-11
  • Modified Analysis by [email protected]

    Jun. 27, 2024

    Action Type Old Value New Value
    Changed Reference Type http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html No Types Assigned http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html Exploit, Third Party Advisory, VDB Entry
    Changed CPE Configuration AND OR cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:* OR *cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.1.4 AND OR *cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.1.4 OR cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Aug. 11, 2023

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html [No Types Assigned]
  • Initial Analysis by [email protected]

    Mar. 21, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://www.tenable.com/security/research/tra-2023-11 No Types Assigned https://www.tenable.com/security/research/tra-2023-11 Exploit, Third Party Advisory
    Added CWE NIST CWE-77
    Added CPE Configuration AND OR *cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 1.1.4 OR cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 8.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

93.96 }} -0.06%

score

0.99876

percentile