CVE-2023-33538
Published: 07 June 2023
Summary
CVE-2023-33538 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Tl-Wr940N. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-17 (Remote Access).
Deeper analysis
CVE-2023-33538 is a command injection vulnerability, tracked under CWE-77, that affects the TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 wireless routers. The flaw resides in the /userRpm/WlanNetworkRpm component and carries a CVSS 3.1 base score of 8.8.
An authenticated attacker with network access can supply crafted input to the affected endpoint and execute arbitrary commands on the device. Successful exploitation grants the attacker full control over the router, enabling actions such as altering configuration, intercepting traffic, or pivoting into the local network.
Public references indicate that CISA has issued a warning specifically addressing active exploitation of this vulnerability. No vendor-supplied patches or configuration workarounds are detailed in the available references.
The EPSS score currently stands at 0.9091 with a recorded peak of 0.9147, and one advisory source explicitly notes ongoing in-the-wild exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37697
Vulnerability details
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .
- CWE(s)
- KEV Date Added
- 16 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the /userRpm/WlanNetworkRpm endpoint, blocking the crafted parameters that produce command injection.
Limits the privileges of the low-privileged account needed to reach the vulnerable component, reducing the scope of commands that can be executed.
Restricts remote network access to the router's management interface, shrinking the attack surface for the unauthenticated or low-priv injection vector.