Mirai Variant Targets EOL TP-Link Routers via Flawed Exploit for Valid Vulnerability

Palo Alto Networks' Unit 42 has detected and analyzed automated exploitation attempts targeting CVE-2023-33538 on end-of-life (EOL) TP-Link Wi-Fi routers. The activity is attributed to a Mirai-like botnet identified as the "Condi" variant. Network telemetry first observed this activity in May 2025, approximately one month before the vulnerability was formally added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Despite a critical flaw in the observed exploit code that prevents successful execution, technical analysis confirms that the underlying vulnerability is legitimate and highly exploitable when default credentials are in use.

Technical Analysis: Command Injection via the ssid1 Parameter

The technical investigation by Unit 42 focused on the TL-WR940N model, utilizing firmware emulation to reconstruct the exploit path. The attack vector leverages an unsanitized command injection vulnerability in the ssid1 parameter of the /userRpm/WlanNetworkRpm.htm endpoint, accessible via HTTP GET. The malicious request concatenates shell commands designed to download an ELF binary, modify execution permissions, and launch the malware.

Telemetry showed that the requests included an Authorization: Basic YWRtaW46YWRtaW4= header, which translates to the default admin:admin credentials. This detail is pivotal: while CVE-2023-33538 requires authentication, that barrier is effectively non-existent on devices that have never been reconfigured by the user. Firmware emulation confirmed that once authentication is bypassed, the injection in the ssid1 parameter allows for the execution of arbitrary commands at the router's operating system level.

The downloaded binary, compiled for the ARM7 architecture, underwent reverse engineering. Unit 42 extracted several identifying characteristics: "condi" strings within the code, a 0x99 0x66 0x33 byte pattern in C2 commands, and an update_bins function referencing an arch_names array with support for eight additional CPU architectures. The binary establishes communication with a command-and-control server at IP address 51.38.137[.]113, associated with the domain cnc.vietdediserver[.]shop—an infrastructure previously linked to Mirai-like botnet campaigns.

The Flawed Exploit Paradox: Why the Risk Remains High

The significance of this campaign lies in the discrepancy between intent and execution. The in-the-wild exploits analyzed by Unit 42 contained errors that would have caused them to fail even with valid credentials. However, experimental confirmation that the vulnerability is real—achieved through firmware emulation and reverse engineering—shifts the threat perspective significantly.

"Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real." — Unit 42, Palo Alto Networks

Errors in exploit code can be corrected rapidly. The threat actors behind the Condi botnet have already demonstrated automated distribution capabilities, active C2 infrastructure, and multi-architecture propagation mechanisms. The May 2025 telemetry represents a snapshot of an evolving campaign, not its final state. The distinction between a "flawed exploit" and a "non-exploitable vulnerability" is technically relevant but strategically dangerous: fixing malicious code is trivial compared to the structural challenge of securing unpatched, EOL devices with default configurations.

A Critical Timeline: KEV, Telemetry, and End-of-Life Status

The timeline follows a recurring pattern in IoT threats. Automated exploitation attempts began in May 2025, followed in June 2025 by the inclusion of CVE-2023-33538 in the CISA Known Exploited Vulnerabilities Catalog. This one-month gap between in-the-wild activity and official government formalization illustrates a common delay: commercial telemetry preceded public alerts, leaving a window where defense depended entirely on the proactive awareness of network operators.

TP-Link’s position, as reported by Unit 42, is unambiguous: the affected devices are end-of-life. No patches are available or planned, and the official recommendation is hardware replacement. No software-based mitigation path exists for these models. The combination of a confirmed vulnerability, lack of patching, and the prevalence of default credentials effectively turns these consumer routers into a pool of potential DDoS zombies for existing botnet operators.

Mitigation and Risk Management

• Inventory EOL Devices: Identify any TP-Link routers in the network that have reached end-of-life status. Replacement is the only definitive mitigation and should be prioritized.
• Eliminate Default Credentials: On any device that cannot be immediately replaced, change the admin password immediately. Even if the model appears unaffected, default authentication is the primary prerequisite for this exploit.
• Monitor for Indicators of Compromise (IoCs): Monitor network traffic for connections to IP 51.38.137[.]113 and the domain cnc.vietdediserver[.]shop. Outbound connections to these indicators suggest an active compromise; block these at the firewall and investigate the source device.
• Network Segmentation: Isolate IoT devices using VLANs. Compromised routers can serve as pivots for lateral movement; segmenting unmanaged devices limits the impact of a potential infection.

Legacy Devices as Hidden Critical Infrastructure

The Condi campaign against CVE-2023-33538 is a case study in the persistence of IoT risk. Consumer Wi-Fi routers occupy an ambiguous position: they are rarely viewed as critical infrastructure, yet they serve as the network perimeter for millions of endpoints, handle credentials, and direct traffic. When compromised, they can be reconfigured to intercept, redirect, or obfuscate malicious activities.

While the Condi variant does not introduce novel techniques to the Mirai landscape, its relevance lies in confirming that botnet operators continue to invest in campaigns targeting EOL devices with known vulnerabilities. They calculate that the combination of zero patches and persistent default credentials will yield a sufficient return. The technical failure of the exploits observed so far is not a permanent safeguard, but a temporary condition that can be rectified with a single line of corrected code.

The defensive perimeter must move away from the hope of vendor updates toward the conscious recognition that certain devices must be retired. The recommendation for hardware replacement is not an excess of caution, but an acknowledgment of technical reality: software lifecycles have an end, and beyond that point, security responsibility transfers entirely to the network administrator.

Frequently Asked Questions

Why is the exploit considered "flawed" if the vulnerability is real?

The in-the-wild exploits contained implementation errors that prevented successful execution, even when valid credentials were provided. However, Unit 42’s firmware emulation proved the underlying vulnerability works as described. An attacker with the same access but corrected code could achieve full compromise.

Is changing the admin password enough to protect the device?

Changing default credentials is a necessary and urgent step, but it is not a complete long-term solution. On EOL devices without security support, other vulnerabilities may emerge. Hardware replacement remains the only comprehensive mitigation recommended by the vendor.

Which TP-Link models are affected?

Unit 42 specifically analyzed the TL-WR940N model. It is currently unknown if other EOL models are susceptible to the same vector in production environments. Prudence dictates treating any TP-Link device without active support as a potential risk.

Sources

• https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/

Information has been verified against cited sources and is current at the time of publication.

Sources

• https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/