The US government’s Cybersecurity and Infrastructure Security Agency (CISA) is adding three more flaws to its list of known-exploited vulnerabilities, including one involving TP-Link routers that is being targeted by the operators of the notorious Mirai botnet.
The other two placed on the list this week involve versions of Oracle’s WebLogic Server software and the Apache Foundation’s Log4j Java logging library.
The command-injection flaw in TP-Link’s Archer AX21 Wi-Fi 6 routers – tracked as CVE-2023-1389 – lurks in device firmware prior to version 1.1.4 Build 20230219, which addresses the issue. An unauthorized attacker can exploit this hole to inject commands that could lead to remote code execution (RCE), enabling the intruder to take control of the device from across the network or internet.
Trend Micro’s Zero Day Initiative (ZDI) threat-hunting group early last week wrote in a report that in mid-April miscreants behind the please-can’t-it-just-die Mirai botnet were beginning to exploit the flaw primarily by attacking devices in Eastern Europe, though the campaign soon expanded beyond that region.
The Mirai malware rolls up infected Linux-based Internet of Things (IoT) devices into a botnet that can then be remotely controlled to perform large-scale network attacks, including distributed denial-of-services (DDoS) assaults.
The command-injection vulnerability was found by several teams participating in ZDI’s Pwn2Own Toronto contest last year and as we said, TP-Link has since issued firmware to fix the issue. After hearing from ZDI that the Mirai botnet operators were trying to exploit it, TP-Link issued a statement urging users