CVE-2023-33538

HIGH KEV

TP-Link TL-WR940N TL-WR841N TL-WR740N - OS Command Injection via WlanNetworkRpm Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-33538 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 16, 2025. EIP tracks 3 public exploits from researchers including explxx, eev4n, mrowkoob.

AI-analyzed exploit summary This is a functional Python exploit for CVE-2023-33538, targeting TP-Link TL-WR940N/TL-WR841N routers via command injection in the `ssid1` parameter. It supports vulnerability testing, arbitrary command execution, and reverse shell establishment.

Description

TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 was discovered to contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm .

Exploits (3)

nomisec WORKING POC 1 stars
by explxx · remote-auth
https://github.com/explxx/CVE-2023-33538

This is a functional Python exploit for CVE-2023-33538, targeting TP-Link TL-WR940N/TL-WR841N routers via command injection in the `ssid1` parameter. It supports vulnerability testing, arbitrary command execution, and reverse shell establishment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link TL-WR940N/TL-WR841N (various firmware versions)
Auth required
Prerequisites: Network access to the router's web interface · Valid admin credentials · Router with vulnerable firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by eev4n · remote-auth
https://github.com/eev4n/tplink-osci

This repository contains a functional exploit for CVE-2023-33538, targeting TP-Link routers via command injection in the SSID parameter. The exploit supports both authenticated HTTP requests and unauthenticated TDDP (TP-Link Device Debug Protocol) packets for RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link routers (specific models not listed)
Auth required
Prerequisites: network access to target device · valid credentials for HTTP method
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by mrowkoob · remote-auth
https://github.com/mrowkoob/CVE-2023-33538-msf

This is a Metasploit auxiliary module that exploits an authenticated command injection vulnerability in TP-Link TL-WR940N/841N routers via the `ssid1` parameter in `WlanNetworkRpm.htm`. It requires a valid Authorization cookie and session path prefix obtained manually.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: TP-Link TL-WR940N V2/V4 and TL-WR841N V8/V10
Auth required
Prerequisites: Valid Authorization cookie · Session path prefix · Network access to the target router
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.4257
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-06-16
VulnCheck KEV 2025-06-16
ENISA EUVD EUVD-2023-37697
CWE
CWE-77
Status published
Products (3)
tp-link/tl-wr740n_firmware
tp-link/tl-wr841n_firmware
tp-link/tl-wr940n_firmware
Published Jun 07, 2023
KEV Added Jun 16, 2025
Tracked Since Feb 18, 2026