CVE-2023-1389

HIGH KEV NUCLEI

TP-Link Archer AX21 Firmware < 1.1.4 - Unauthenticated Command Injection via Country Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-1389 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 1, 2023. EIP tracks 5 public exploits from researchers including Voyag3r, Voyag3r-Security, dyeat. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated command injection vulnerability in TP-Link Archer AX21 routers via the 'country' parameter in the '/cgi-bin/luci/;stok=/locale' endpoint. It sends a crafted request twice to execute a reverse shell command as root.

Description

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Exploits (5)

exploitdb WORKING POC
by Voyag3r · pythonremotehardware
https://www.exploit-db.com/exploits/51677

This exploit leverages an unauthenticated command injection vulnerability in TP-Link Archer AX21 routers via the 'country' parameter in the '/cgi-bin/luci/;stok=/locale' endpoint. It sends a crafted request twice to execute a reverse shell command as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219
No auth needed
Prerequisites: Network access to the target router · Attacker-controlled listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 16 stars
by Voyag3r-Security · poc
https://github.com/Voyag3r-Security/CVE-2023-1389

This repository contains two Python scripts demonstrating unauthenticated command injection in TP-Link Archer AX21 routers via CVE-2023-1389. The first script exfiltrates command output via netcat, while the second establishes a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219
No auth needed
Prerequisites: Network access to the router's admin interface · Router running vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/D-Link/DIR-AX21/CVE-2023-1389

The repository contains a functional exploit for CVE-2023-1389, targeting a command injection vulnerability in TP-Link AX21 AX1800 routers. The exploit sends a crafted HTTP request to execute arbitrary commands via the 'country' parameter in the '/cgi-bin/luci/;stok=/locale' endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TP-Link AX21 AX1800 (Firmware Version < 1.1.2)
No auth needed
Prerequisites: Network access to the target device
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec WORKING POC
by werwolfz · poc
https://github.com/werwolfz/CVE-2023-1389

This repository contains a Go-based exploit for CVE-2023-1389, an unauthenticated command injection vulnerability in TP-Link Archer AX21 routers. The exploit sends a reverse shell payload via a crafted HTTP request to the vulnerable endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TP-Link Archer AX21
No auth needed
Prerequisites: List of target IPs · Netcat listener
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Quadron-Research-Lab/Hardware-IoT

This script exploits a command injection vulnerability in TP-Link AX21 routers by sending crafted HTTP requests to the `/locale` endpoint, which triggers a telnet daemon on port 8181. The exploit then connects to the spawned telnet service for remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: TP-Link AX21 (firmware versions affected by CVE-2023-1389)
No auth needed
Prerequisites: Network access to the router's web interface (typically 192.168.0.1) · Router must be vulnerable to CVE-2023-1389
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
CRITICALVERIFIEDby ritikchaddha
Shodan: title:"TP-Link Router"
FOFA: body="tp-link"

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.9331
EPSS Percentile 99.8%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-05-01
VulnCheck KEV 2023-04-12
InTheWild.io 2023-05-01
ENISA EUVD EUVD-2023-23645
CWE
CWE-77
Status published
Products (1)
tp-link/archer_ax21_firmware < 1.1.4
Published Mar 15, 2023
KEV Added May 01, 2023
Tracked Since Feb 18, 2026