A vulnerability that could lead to critical status, tracked as CVE-2023-1389, was identified in TP-Link Archer AX-21 routers. The Ballista botnet is currently exploiting this vulnerability, which can spread automatically across the web. Continue reading this Cybersecurity Threat Advisory to learn more.
What is the threat?
CVE-2023-1389 is caused by improper user input validation in a router’s web management interface. This vulnerability allows an attacker to send HTTP requests that can lead to command execution with root privileges. The Ballista botnet exploits this vulnerability to enlist affected routers in DDoS attacks. Routers running versions earlier than 1.1.4 Build 202330219 are vulnerable to this issue.
Why is it noteworthy?
The Ballista botnet exploits this vulnerability to target affected routers for use in DDoS attacks. Some manufacturing companies in the US and Australia are already targeted. Attackers find TP-Link Archer AX-21 routers particularly appealing due to their widespread use.
What is the exposure or risk?
Organizations that are utilizing vulnerable versions of TP-Link routers are at significant risk. Successful exploitation can result in:
- Network compromise: Attackers can move laterally inside the network to affect other connected devices.
- Data breaches: Access to sensitive information traversing the network can lead to data exfiltration.
- Botnet recruitment: Attackers can leverage the compromised routers in DDoS attacks.
What are the recommendations?
Barracuda recommends the following actions to protect your organization against this threat:
- Apply updates if the following versions of the TP-Link Archer AX-21 router firmware are older than version 1.1.4 Build 20230219.
- Use network segmentation in the event of an attack. This will isolate the affected device to prevent its further spread and compromise of other devices on the network.
- Monitor network traffic and be aware of any usual outbound connections.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
