CVE-2023-1389
Published: 15 March 2023
Summary
CVE-2023-1389 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Archer Ax21 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-1389 is a command injection vulnerability affecting TP-Link Archer AX21 (AX1800) wireless routers running firmware versions prior to 1.1.4 Build 20230219. The flaw resides in the web management interface at the /cgi-bin/luci;stok=/locale endpoint, where the country parameter supplied to the write operation is passed directly to a popen() call without sanitization, enabling arbitrary command execution.
An unauthenticated attacker with adjacent network access can exploit the issue by sending a crafted POST request containing shell commands in the country field. Successful exploitation grants the attacker root-level code execution on the device, allowing full control over the router's configuration, traffic, and connected clients.
Public advisories and exploit references, including entries from Tenable and CISA's Known Exploited Vulnerabilities catalog, indicate that the primary mitigation is to update the device firmware to version 1.1.4 Build 20230219 or later, which addresses the unsanitized input path.
The vulnerability carries a CVSS score of 8.8 and an EPSS score that has reached 0.93, and its presence in the CISA KEV catalog confirms observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23645
Vulnerability details
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before…
more
being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
- CWE(s)
- KEV Date Added
- 01 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the country parameter before it reaches popen(), blocking the command injection at the /cgi-bin/luci endpoint.
Mandates prompt application of the firmware update to 1.1.4 Build 20230219 that corrects the unsanitized input handling in the locale write operation.
Enforces authentication and authorization checks on the web management interface so that unauthenticated adjacent-network POST requests cannot reach the vulnerable endpoint.