LR pixel

What is TP-Link Archer AX21 (AX1800)?

TP-Link Archer AX21 (AX1800) is a line of consumer-oriented Wi-Fi routers.

What is the attack?

A command injection vulnerability exists in TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 that allows an unauthenticated attacker to inject commands and obtain root access via a POST request. The issue has been assigned CVE-2023-1389. The vulnerability has a CVSS base score of 8.8 and is rated HIGH.

Why is this significant?

This is significant because attackers have reportedly started to exploit CVE-2023-1389 in real time attacks. Furthermore, proof-of-concept (PoC) code is publicly available, and various reports have stated that the Mirai malware was deployed to vulnerable TP-Link Archer AX21 devices. CISA added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog on May 1st, 2023. As such, patches should be applied as soon as possible.

What is the vendor solution?

According to the TP-Link Advisory, The Archer AX21, if linked to a TP-Link ID, will automatically receive update notifications in the web administration interface and Tether application. TP-Link strongly recommends that you download and update to the latest firmware for this product model as soon as possible.

What FortiGuard Coverage is available?

FortiGuard Labs has the following IPS signature in place for CVE-2023-1389:

TP-Link.Archer.AX21.Unauthenticated.Command.Injection
FortiGuard Labs has the following AV signatures in place for the reported Mirai malware variants that were deployed as a result of successful exploitation of CVE-2023-1389:
ELF/Mirai.A!tr
ELF/Mirai.BL!tr
BASH/Mirai.4C55!trLinux/Redis.TSU!tr

FortiGuard Labs has the following IPS signature in place that will address exploitation attempts of CVE-2023-1389TP-Link.Archer.AX21.Unauthenticated.Command.Injection

All network IOC’s are blocked by the WebFiltering client.