Attempted exploitation of vulnerability impacting EoL TP-Link routers discovered

Palo Alto Networks Unit 42 researchers have identified widespread attempts to exploit CVE-2023-33538, a vulnerability in several end-of-life TP-Link router models, reports Cybersecurity Dive.

The security flaw was first revealed publicly in June 2023, and the Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities in July 2025 due to concerns of active exploitation. The observed payloads resemble malware commonly associated with Mirai-style botnets, indicating attempts to download and run harmful software on the routers. Researchers noted that access credentials for the router's web management interface is required to successfully exploit the flaw. Users have been advised to avoid using default login credentials.

TP-Link confirmed that the outdated affected routers no longer receive support and recommends using replacements with currently supported hardware. The findings add to the ongoing scrutiny regarding TP-Link equipment security. There had been previous issues with severe vulnerabilities in TP-Link Omada routers discovered by Forescout Research and a botnet campaign incident in 2025 that targeted TP-Link Archer routers.