TP-Link router flaw draws Mirai probes

Hackers are probing older TP-Link home routers in an effort to turn them into Mirai-style botnet nodes, using a known command-injection flaw tracked as CVE-2023-33538. Security researchers say the activity targets discontinued router models and appears to be automated, with scanning and exploit attempts designed to fetch and run malware on exposed devices. The flaw itself is genuine and serious, even though some of the attack traffic observed so far contains coding errors that would stop the infection chain from completing as intended.

The vulnerability affects several legacy TP-Link models, including TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10. Public vulnerability records describe the weakness as a command-injection issue in the /userRpm/WlanNetworkRpm component, where the ssid1 parameter can be abused through a crafted HTTP request. That opens a path for an attacker to run arbitrary system commands on the device if the router is reachable and vulnerable.

What has sharpened attention around the bug is the combination of government warning and fresh threat telemetry. The vulnerability was added to the US cyber agency’s Known Exploited Vulnerabilities catalogue in June 2025, signalling that exploitation in the wild had been confirmed. New research published on April 17, 2026 said large-scale scanning and exploit attempts are still being detected, with payloads associated with Mirai-like botnet activity. That means the issue has moved beyond a theoretical defect and remains part of the live threat landscape for older consumer networking gear.

Researchers examining the latest campaign said the attack chain tries to download malicious binaries commonly associated with Mirai variants, malware families long used to hijack routers and internet-connected devices for distributed denial-of-service attacks and other abuse. In the samples analysed this week, the intrusion attempts were described as imperfect because the exploit logic appeared mismatched to the command-injection path being targeted. Even so, analysts warned against taking comfort from those mistakes. A working variant, or a slightly improved copycat, could quickly turn the same scanning wave into successful compromise attempts against devices still exposed online.

The broader risk comes from the profile of the hardware involved. These routers are older products, and multiple advisories indicate that the affected units are end-of-life or end-of-service. In practice, that leaves households and small offices with limited options if they are still relying on them as primary internet gateways. Some advisory material says such products should be discontinued altogether because patched versions are unavailable or support has ended, making replacement a safer course than waiting for software fixes that may never arrive.

That matters because ageing home routers remain attractive targets for botnet operators. Consumer devices are often left running for years, seldom audited and frequently configured with weak or default credentials. When a command-injection flaw is paired with outdated firmware, remote administration exposure or poor password hygiene, attackers do not need a sophisticated foothold to enlist a device into a criminal network. The result can be quiet compromise, degraded network performance, malicious traffic relays or use in denial-of-service campaigns without the owner realising what has happened.

The chronology of this case also underlines how long-lived router vulnerabilities can be. CVE-2023-33538 entered public records in June 2023, but warnings about in-the-wild abuse intensified in June 2025 when federal authorities added it to the exploited-vulnerability catalogue. The latest telemetry published in April 2026 shows the flaw is still being actively tested by attackers, more than two years after disclosure. For defenders, that is a reminder that exposure does not end when a bug is named; it often persists for as long as unsupported hardware remains installed in homes and branch offices.

For users, the immediate question is whether a vulnerable router is still in service. Devices on the affected list should be checked against their hardware version, not just the model family name, because TP-Link products often differ by revision. Where support has ended, the safest response is replacement with a supported model, particularly if the router’s management interface is exposed beyond the local network. If a unit must remain in operation for a short period, owners should disable remote management, change default passwords, restrict administration to trusted local access and look for any official firmware guidance still available for that hardware line.