Cyber Resilience

CVE-2023-1389

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 March 2023

Published
15 March 2023
Modified
03 November 2025
KEV Added
01 May 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9331 99.8th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1389 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Archer Ax21 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-1389 is a command injection vulnerability affecting TP-Link Archer AX21 (AX1800) wireless routers running firmware versions prior to 1.1.4 Build 20230219. The flaw resides in the web management interface at the /cgi-bin/luci;stok=/locale endpoint, where the country parameter supplied to the write operation is passed directly to a popen() call without sanitization, enabling arbitrary command execution.

An unauthenticated attacker with adjacent network access can exploit the issue by sending a crafted POST request containing shell commands in the country field. Successful exploitation grants the attacker root-level code execution on the device, allowing full control over the router's configuration, traffic, and connected clients.

Public advisories and exploit references, including entries from Tenable and CISA's Known Exploited Vulnerabilities catalog, indicate that the primary mitigation is to update the device firmware to version 1.1.4 Build 20230219 or later, which addresses the unsanitized input path.

The vulnerability carries a CVSS score of 8.8 and an EPSS score that has reached 0.93, and its presence in the CISA KEV catalog confirms observed real-world exploitation.

EU & UK References

Vulnerability details

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before…

more

being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

CWE(s)
KEV Date Added
01 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
archer ax21 firmware
≤ 1.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the country parameter before it reaches popen(), blocking the command injection at the /cgi-bin/luci endpoint.

prevent

Mandates prompt application of the firmware update to 1.1.4 Build 20230219 that corrects the unsanitized input handling in the locale write operation.

prevent

Enforces authentication and authorization checks on the web management interface so that unauthenticated adjacent-network POST requests cannot reach the vulnerable endpoint.

References