TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert

Here’s a concise three‑paragraph summary of the article from The Hacker News about the TP‑Link router vulnerability:

1. Discovery and SeverityOn June 17, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw—CVE‑2023‑33538—to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, which carries a high CVSS score of 8.8, is a command injection bug in multiple models of TP‑Link routers (TL‑WR940N V2/V4, TL‑WR841N V8/V10, TL‑WR740N V1/V2). Attackers can exploit it by sending specially crafted HTTP GET requests using the ssid1 parameter to trigger arbitrary command execution on the device (thehackernews.com).

2. Exploitation & Support StatusCISA’s inclusion in the KEV catalog indicates that the flaw is actively being exploited. However, details remain scarce regarding the scale of attacks or the threat actors involved . Complicating remediation, TP‑Link has officially ended support for the affected models, meaning no firmware patches are forthcoming. Consequently, CISA recommends discontinuing their use or applying mitigations where possible (thehackernews.com).

3. Wider Context & Compliance DeadlineThis development follows earlier research into OT‑centric malware (like FrostyGoop/BUSTLEBERM) that suggested but didn’t confirm exploitation via this vulnerability (thehackernews.com). Additionally, CISA has set a compliance deadline—by July 7, 2025, federal agencies must remediate or phase out vulnerable devices (thehackernews.com). The article also draws parallels to similar ongoing threats, such as exploits targeting Zyxel firewalls (CVE‑2023‑28771), which have been weaponized for DDoS botnets (thehackernews.com).

click the image for the article