Hackers are attempting to exploit a high-severity flaw found in several end-of-life routers from TP-Link, according to a blog post published Friday by Palo Alto Networks’ Unit 42.
Researchers warn the observed payloads share similarities to those found in malware used in Mirai-like botnets. Such activity would involve attempts to download the malware and execute on vulnerable devices, according to researchers.
The vulnerability was originally disclosed in June 2023, and proof of concept exploits appeared prior to the disclosure, wrote Unit 42 researchers.
The Cybersecurity and Infrastructure Security Agency previously added the command injection vulnerability, tracked as CVE-2023-33538, to its Known Exploited Vulnerabilities catalog in July 2025.
Palo Alto Networks telemetry detected large-scale exploitation attempts at the time. Researchers caution that recently observed exploitation attempts have not been successful, but the underlying vulnerability is real.
They said successful exploitation would require authentication to the router’s web interface.
TP-Link confirmed the routers have reached end-of-life status and are no longer being supported and should therefore be replaced with hardware that is under support, according to the Unit 42 post. Users should also make sure default credentials are not being used.
The research follows years of concerns about the security of TP-Link routers, which have raised larger concerns about the security of foreign-linked networking equipment.
Forescout Research in October warned of critical flaws in TP-Link Omada routers. In early 2025 a botnet targeted critical flaws in TP-Link Archer routers in a campaign targeting U.S. organizations.
