The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added a high-severity security flaw in TP-Hyperlink wi-fi routers to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability in query is CVE-2023-33538 (CVSS rating: 8.8), a command injection bug that would outcome within the execution of arbitrary system instructions when processing the ssid1 parameter in a specifically crafted HTTP GET request.
“TP-Hyperlink TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 comprise a command injection vulnerability by way of the element /userRpm/WlanNetworkRpm,” the company stated.

CISA has additionally warned that there’s a risk that affected merchandise could possibly be end-of-life (EoL) and/or end-of-service (EoS), urging customers to discontinue their use if no mitigations can be found.
There’s at the moment no public details about how the shortcoming could also be exploited within the wild.
In December 2024, Palo Alto Networks Unit 42 revealed that it had recognized extra samples of an operational expertise (OT)-centric malware referred to as FrostyGoop (aka BUSTLEBERM) and that one of many IP addresses comparable to an ENCO management machine additionally acted as a router net server utilizing TP-Hyperlink WR740N to facilitate entry the ENCO machine from an online browser.
Nevertheless, it additional identified that “there isn’t a laborious proof to point that the attackers exploited [CVE-2023-33538] within the July 2024 FrostyGoop assault.”
The Hacker Information has reached out to TP-Hyperlink for additional particulars, and we are going to replace the story if we hear again. In mild of energetic exploitation, federal companies are required to remediate the flaw by July 7, 2025.
New Exercise Targets CVE-2023-28771
The disclosure comes as GreyNoise has warned of exploit makes an attempt concentrating on a important security flaw impacting Zyxel firewalls (CVE-2023-28771, CVSS rating: 9.8).

CVE-2023-28771 refers to a different working system command injection vulnerability that would allow an unauthenticated attacker to execute instructions by sending crafted requests to a inclined machine. It was patched by Zyxel in April 2023.
Whereas the vulnerability was weaponized to construct distributed denial-of-service (DDoS) botnets comparable to Mirai shortly after public disclosure, the menace intelligence agency stated it noticed heightened makes an attempt to use it as just lately as June 16, 2025.

As many as 244 distinctive IP addresses are stated to have participated within the efforts over a brief timespan, with the exercise concentrating on the US, United Kingdom, Spain, Germany, and India.
“Historic evaluation signifies that within the two weeks previous June 16, these IPs weren’t noticed participating in every other scanning or exploit habits — solely concentrating on CVE-2023-28771,” GreyNoise stated, including it recognized “indicators per Mirai botnet variants.”
To mitigate the menace, customers are beneficial to replace their Zyxel units to the newest model, monitor for any anomalous exercise, and restrict publicity the place relevant.