Lyrie
active-exploitation
ACTIVELY EXPLOITED3 sources verified·4 min read
By Lyrie Threat Intelligence·6/16/2025

What happened

CISA added CVE-2023-33538 to the Known Exploited Vulnerabilities catalog on 2025-06-16, signaling confirmed exploitation in the wild (CISA KEV). The entry names a command injection flaw in TP-Link routers and sets a remediation due date of 2025-07-07 for impacted orgs (CISA KEV). The affected models are TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2, with injection via the component path /userRpm/WlanNetworkRpm (CISA KEV, NVD CVE-2023-33538). CISA notes these products could be end-of-life/end-of-service and advises discontinuing use where mitigations are unavailable (CISA KEV). The CVE is tracked formally at NVD and MITRE for identification and coordination (NVD CVE-2023-33538, MITRE CVE-2023-33538).

Why it matters

Command injection on a perimeter router is a turnkey path to run attacker-supplied system commands on the device (NVD CVE-2023-33538). The models called out are widely deployed, low-cost gear that often persists beyond official support windows; CISA explicitly flags possible EoL/EoS status and recommends discontinuation when fixes aren’t available (CISA KEV). Once abused, a compromised router can be repurposed for traffic interception, lateral movement, or integration into automated attack infrastructure; the addition to KEV confirms adversaries are already operationalizing this bug (CISA KEV). For defenders, this moves the issue from “patch when convenient” to “remove or replace now.”

Technical detail

The vulnerability is cataloged as CVE-2023-33538 and classified under command injection (CWE-77), indicating unsanitized inputs are passed to command interpreters on the router (NVD CVE-2023-33538). The affected HTTP component is /userRpm/WlanNetworkRpm, referenced directly in both the KEV entry and NVD record (CISA KEV, NVD CVE-2023-33538). Impacted models and hardware revisions explicitly listed:

CISA’s entry states exploitation is confirmed and mandates action by 2025-07-07 for covered entities, aligning with Binding Operational Directive enforcement timelines (CISA KEV). The advisory text instructs orgs to apply vendor mitigations where possible, follow applicable guidance, or discontinue product utilization if mitigations are unavailable (CISA KEV). MITRE maintains the canonical CVE record to support tooling correlation and SBOM/intake pipelines (MITRE CVE-2023-33538).

Defense

Priority is asset eradication or isolation, not long-tail patching. Take the following steps:

  • Identify presence. Search inventories, CMDBs, and network-edge fingerprints for TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 models cited by CISA’s KEV entry (CISA KEV). Treat anything matching as at-risk until proven otherwise (CISA KEV).
  • Remove or replace. CISA advises discontinuation if mitigations are unavailable, and flags that impacted products could be EoL/EoS—plan immediate replacement with supported hardware (CISA KEV).
  • If temporary containment is unavoidable, isolate aggressively. Limit management access to trusted administrative networks only and monitor for any hits to /userRpm/WlanNetworkRpm on these devices, which is the vulnerable component path in the CVE (NVD CVE-2023-33538). Any observed access attempts to that endpoint should be treated as suspicious during the containment window (NVD CVE-2023-33538).
  • Execute the KEV mandate by the due date. CISA lists 2025-07-07 as the remediation deadline for this CVE; track and report completion for compliance where applicable (CISA KEV).

Operationally, monitor egress from any still-present devices for anomalies and ensure downstream systems assume compromise until devices are removed. Because this is already exploited in the wild, assume an adversary test-and-retry loop is in play against known-exposed footprints (CISA KEV).

Lyrie Verdict

This is a textbook edge-device command injection that automated adversaries can sweep at internet scale. Lyrie ships machine-speed detections keyed to CVE-2023-33538 indicators—specifically, HTTP interactions targeting /userRpm/WlanNetworkRpm on TP-Link TL-WR940N/WR841N/WR740N families listed by CISA KEV—and auto-escalates to containment when observed (NVD CVE-2023-33538, CISA KEV). Our autonomous policies treat any external-origin traffic to that component as high-confidence exploit behavior during the KEV active window and quarantine the edge segment while signaling inventory removal by the KEV due date (CISA KEV). This is the practical counter to rogue AI-driven scanning and exploitation: immediate, unsupervised interdiction on known-bad paths tied to live-exploited CVEs, with zero reliance on human reaction time (MITRE CVE-2023-33538, CISA KEV).

Lyrie Verdict

This is a textbook edge-device command injection that automated adversaries can sweep at internet scale. Lyrie ships machine-speed detections keyed to CVE-2023-33538 indicators—specifically, HTTP interactions targeting `/userRpm/WlanNetworkRpm` on TP-Link TL-WR940N/WR841N/WR740N families listed by CISA KEV—and auto-escalates to containment when observed. Our autonomous policies treat any external-origin traffic to that component as high-confidence exploit behavior during the KEV active window and quarantine the edge segment while signaling inventory removal by the KEV due date. This is the practical counter to rogue AI-driven scanning and exploitation: immediate, unsupervised interdiction on known-bad paths tied to live-exploited CVEs, with zero reliance on human reaction time.

#tp-link#multiple-routers#cisa-kev#exploited-itw#CISA KEV#CVE-2023-33538#TP-Link#Command Injection#CWE-77#Router

Validated sources

  1. [1]CISA Known Exploited Vulnerabilities Catalog
  2. [2]NVD entry
  3. [3]MITRE CVE record