Cyber Resilience

CVE-2023-33538

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 07 June 2023

Published
07 June 2023
Modified
27 October 2025
KEV Added
16 June 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9006 99.6th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33538 is a high-severity Command Injection (CWE-77) vulnerability in Tp-Link Tl-Wr940N. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-17 (Remote Access).

Deeper analysis

CVE-2023-33538 is a command injection vulnerability, tracked under CWE-77, that affects the TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 wireless routers. The flaw resides in the /userRpm/WlanNetworkRpm component and carries a CVSS 3.1 base score of 8.8.

An authenticated attacker with network access can supply crafted input to the affected endpoint and execute arbitrary commands on the device. Successful exploitation grants the attacker full control over the router, enabling actions such as altering configuration, intercepting traffic, or pivoting into the local network.

Public references indicate that CISA has issued a warning specifically addressing active exploitation of this vulnerability. No vendor-supplied patches or configuration workarounds are detailed in the available references.

The EPSS score currently stands at 0.9091 with a recorded peak of 0.9147, and one advisory source explicitly notes ongoing in-the-wild exploitation activity.

EU & UK References

Vulnerability details

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .

CWE(s)
KEV Date Added
16 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tp-link
tl-wr940n firmware
all versions
tp-link
tl-wr841n firmware
all versions
tp-link
tl-wr740n firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the /userRpm/WlanNetworkRpm endpoint, blocking the crafted parameters that produce command injection.

prevent

Limits the privileges of the low-privileged account needed to reach the vulnerable component, reducing the scope of commands that can be executed.

AC-17 Remote Access partial match
prevent

Restricts remote network access to the router's management interface, shrinking the attack surface for the unauthenticated or low-priv injection vector.

References