Cybersecurity and US Infrastructure Agency (CISA) added Lack of high-speed security at TP-LINK wireless routers to their famous exploited vulnerabilities (Ship) Catalog, citing evidence of active exploitation.
Vulnerability in question Cve-2023-33538 (CVSS’s assessment: 8.8), a bug introduction that may lead to Fulfillment of arbitrary system teams When processing the SSID1 parameter in a specially created HTTP GET VELT.
“TP-LINK TL-WR940N V2/V4, TL-WR841N V8/V10 and TL-WR740N V1/V2 contain the vulnerability of the team with the component/Userrpm/Wlannetworkrpm,” the agency said.
CISA also warned that there is a possibility that affected products could become the end of life (EOL) and/or end of the service (EOS), calling users to stop their use when there is no softening.
Currently, there is no public information on how the wild can be used in the wild.
In December 2024, Palo Alto Networks 42 is disclosed that he identified additional samples of operational technology (OT)-Centralized software called Frostygoop (AKA Bustleberm) and that one of the IP addresses that fits the Enco control device, also performed as a router web server using TP-Link Wr740n to access the Enco device from the web browser.
However, she further noted that “there is no difficult evidence that indicates that the attackers are exploited (CVE-2013-33538) in July 2024 FrostyGoop.”
The Hacker News appealed to TP-Link for more information and we will update the story when we hear back. In light of active operation, federal agencies are obliged to eliminate the shortage of July 7, 2025.
New CVE-2023-2871 target activities
Disclosure occurs when Greynoise warns about the operating attempts aimed at a critical lack of safety that affects Zyxel firewall (Cve-2023-2871CVSS assessment: 9.8).
The CVE-2023-28771 refers to another vulnerability of the operating system, which can allow an unauthorized attacker to perform commands by sending the created requests to a sensitive device. In April 2023, it was secured by Ziseel.
While the vulnerability was weapon In order to create distributed batnet refusal (DDOS), such as Mirai, shortly after public disclosure, the company “Threat” stated that it noticed increased attempts to use it recently on June 16, 2025.
It is said that 244 unique IP -ses participated in efforts in a short time, and activities aimed at the United States, the United Kingdom, Spain, Germany and India.
“Historical analysis shows that in the two weeks preceded on June 16, these IPs were not observed in any other scanning or exploitation of behavior-only orientation to CVE-2023-2871”, Greynoise – NoteAdding its revealed “indicators that meet the Mirai Botnet options.”
To mitigate the threat, users are advised to update their Zyxel devices to the latest version, monitor any abnormal activity and limit the exposition where it is applicable.
