Two vulnerabilities are actively targeted by threat actors for exploits, CVE-2023-33538, affects TP-Link routers, and CVE-2023-28771, affects Zyxel firewalls. Review this Cybersecurity Threat Advisory to help mitigate the risk of attackers targeting these vulnerabilities.
What is the threat?
CVE-2023-33538 affects several older TP-Link router models, including TL-WR940N, TL-WR841N, and TL-WR740N. It is a command injection flaw that allows attackers to execute unauthorized system commands by sending specially crafted web requests. Since these routers are end-of-life (EoL), TP-Link is no longer releasing security patches for them, making them permanent targets if still in use.
CVE-2023-28771 is a critical remote code execution (RCE) vulnerability in Zyxel firewalls. Attackers can exploit it without any login credentials and take control of the device. GreyNoise has recently tracked widespread exploitation attempts from hundreds of IP addresses, showing that attackers are actively targeting this flaw again.
Why is it noteworthy?
These vulnerabilities are actively exploited by attackers in the wild. The TP-Link flaw is especially dangerous because it affects unsupported devices that will not receive any updates or patches. Attackers have used the Zyxel vulnerability in past botnet attacks and are now bringing it back, recycling and automating older exploits.
What is the exposure or risk?
The affected TP-Link models leave organizations or individuals highly exposed. Without available patches, attackers can compromise these routers, use them to launch further attacks, intercept data, or gain a foothold in the internal network.
Attackers can remotely control Zyxel firewalls that haven’t been updated. Exploitation could lead to service disruptions, data theft, or inclusion in a DDoS botnet. The large-scale scanning activity suggests this threat is ongoing and widespread, targeting devices globally, especially in the U.S., U.K., Spain, Germany, and India.
What are the recommendations?
Barracuda strongly recommends that organizations take these steps to reduce the risk of exploitation and protect their critical infrastructure from this and similar threats:
- Replace TP-Link routers (TL-WR940N, TL-WR841N, TL-WR740N) immediately, since TP-Link will not issue security updates for these models.
- Discontinue the use of end-of-life (EOL) devices in production or internet-facing roles.
- Update Zyxel firewalls to the latest firmware version that addresses CVE-2023-28771.
- Restrict remote access to all network devices, especially admin interfaces.
- Monitor network traffic proactively with solutions such as Barracuda XDR to identify suspicious activity, especially outbound connections to unfamiliar IP addresses.
- Review and enforce the segmentation of critical systems to limit exposure in the event of a network device compromise.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
