• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

TP-Link Archer AX-21 Command Injection Attack

Released: May 23, 2023

Updated: Jun 21, 2023

Download PDF »

TP-Link Archer AX-21 Command Injection

Medium Severity

IoT, Routers Platform

Attack Type

Wifi Router vulnerability actively exploited

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contains a command injection vulnerability in the web management interface specifically in the "Country" field. There is no sanitization of this field, so an attacker can exploit it for malicious activities and gain foothold. The vulnerability has been seen to be exploited in the wild to deploy Mirai botnet. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-1389

Background

TP-Link is one of the global provider of WLAN devices and Archer AX21 is a Wifi router which has been used in attacks to deploy Mirai botnet. Previously we have seen Mirai based botnet attack on various other IoT devices and routers from other brands. In Feb, 2023, FortiGuard labs released a report on active attacks on vulnerable routers from other brands such as D-Link, DSAN and Netgear. See Additional Resources for the full report.

Threat Radar Overall Score:
CVSS Rating 8.0
FortiRecon Score 79/100
Known Exploited Yes
Exploit Prediction Score 6.88%
FortiGuard Telemetry 75717

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


April 27, 2023: TP-Link released a security advisory.
https://www.tp-link.com/us/support/faq/3643/

May 1st, 2023: CISA added CVE-2023-1389 to its known exploited catalog (KEV).


May 09, 2023: FortiGuard Labs released a Threat signal on vulnerability.
https://www.fortiguard.com/threat-signal-report/5157

FortiGuard observed active attack attempts trying to exploit the TP-Link vulnerability (CVE-2023-1389). Fortinet customers remain protected by the IPS signature and recommends organizations to review the affected version of the TP-Link and apply patches as recommended by the vendor as soon as possible.
https://www.tp-link.com/ca/support/download/archer-ax21/v3/

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • AV (Pre-filter)

  • IPS

DETECT

  • IOC

  • Outbreak Detection

  • Threat Hunting

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • InfoSec Services

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
120.63.180.123 ip Active
185.44.81.114 ip Active
45.95.146.26 ip Active
103.127.78.55 ip Active
admin.duc3k.com domain Inactive
185.225.74.251 ip Active
179.43.163.130 ip Active
http://zvub.us/y url Active
5.248.2.235 ip Active
4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0... file Active
http://185.225.74.251/armv4l url Active
http://185.225.74.251/armv7l url Active
http://185.225.74.251/i586 url Active
http://185.225.74.251/mipsel url Active
http://185.225.74.251/sh4 url Active
http://185.225.74.251/sparc url Active
http://185.225.74.251/arc url Active
0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b6792... file Active
185.225.74.251:80 ip Active
2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a68... file Active
366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf8... file Active
3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7e... file Active
413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0... file Active
461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c... file Active
4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79... file Active
888f4a852642ce70197f77e213456ea2b3cfca4a592b946... file Active
aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b9815... file Active
aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be4... file Active
b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620... file Active
b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74... file Active
eca42235a41dbd60615d91d564c91933b9903af2ef3f835... file Active
http://185.225.74.251/armv5l url Active
http://185.225.74.251/armv6l url Active
http://185.225.74.251/i686 url Active
http://185.225.74.251/m68k url Active
http://185.225.74.251/mips url Active
http://185.225.74.251/x86_64 url Active
zvub.us domain Inactive
45.95.146.26:80 ip Active
85.217.144.35 ip Active
190.211.252.22 ip Active
cdn2.duc3k.com domain Inactive
http://190.211.252.19/y url Active
http://190.211.252.22/cgi-bin/luci/ url Active
190.211.252.19 ip Active
f5968ced46e935dbe5f5e82dc635dc85090b3edf17e399e... file Active
http://85.217.144.35/arm url Active
http://85.217.144.35/arm5 url Active
http://85.217.144.35/arm6 url Active
http://85.217.144.35/arm7 url Active
http://85.217.144.35/m68k url Active
http://85.217.144.35/mips url Active
http://85.217.144.35/mpsl url Active
http://85.217.144.35/ppc url Active
http://85.217.144.35/sh4 url Active
http://85.217.144.35/x86 url Active
http://85.217.144.35/x86_64 url Active
091d1aca4fcd399102610265a57f5a6016f06b1947f8638... file Active
291e6383284d38f958fb90d56780536b03bcc321f117771... file Active
449ad6e25b703b85fb0849a234cbb62770653e6518cf158... file Active
4e3fa5fa2dcc6328c71fed84c9d18dfdbd34f8688c6bee1... file Active
509f5bb6bcc0f2da762847364f7c433d1179fb2b2f4828e... file Active
593e75b5809591469dbf57a7f76f93cb256471d89267c38... file Active
5e841db73f5faefe97e38c131433689cb2df6f024466081... file Active
cbff9c7b5eea051188cfd0c47bd7f5fe51983fba0b237f4... file Active
ccda8a68a412eb1bc468e82dda12eb9a7c9d186fabf0bbd... file Active
duc3k.com domain Inactive
e7a4aae413d4742d9c0e25066997153b844789a1409fd0a... file Active
f7fb5f3dc06aebcb56f7a9550b005c2c4fc6b2e2a50430d... file Active
http://85.217.144.35/abc3.sh url Active
http://cdn2.duc3k.com/t url Active
190.211.252.19:80 ip Active
http://190.211.252.22/y url Active
190.211.252.22:80 ip Active
185.224.128.160 ip Active
185.224.128.31 ip Active
94.156.68.152 ip Active
94.156.68.152:80 ip Active
3ab790c0cd48d52b5d87a60b54cdd2b8ee07b9e21c84468... file Active
dd1a057b4e4ca17de8ea1a3f8b42caefcaa8529fc7e1e83... file Active
http://45.95.146.26/shk url Active
http://94.156.68.152/lol url Active
185.224.128.31:80 ip Active
45.155.91.135 ip Active
45.155.91.135:21425 ip Active
http://94.156.8.244/arm url Active
http://94.156.8.244/arm5 url Active
http://94.156.8.244/arm6 url Active
http://94.156.8.244/arm7 url Active
http://94.156.8.244/i586 url Active
http://94.156.8.244/i686 url Active
http://94.156.8.244/m68k url Active
http://94.156.8.244/mips url Active
http://94.156.8.244/mpsl url Active
http://94.156.8.244/powerpc url Active
http://94.156.8.244/sh4 url Active
http://94.156.8.244/sparc url Active
http://94.156.8.244/x86_64 url Active
185.224.128.34 ip Active
94.156.8.244 ip Active