A Deep Dive Into Attempted Exploitation of CVE-2023-33538

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/
• Blog Title: A Deep Dive Into Attempted Exploitation of CVE-2023-33538
• Suggested Section: Network Services Pentesting -> Pentesting Web -> Command Injection (add an embedded/IoT router subsection: authenticated command injection via config parameters + session-token-in-URL patterns) and optionally a cross-link from Hardware/Physical Access -> Firmware Analysis (firmware emulation + reversing httpd dataflow)

🎯 Content Summary

Post title
A Deep Dive Into Attempted Exploitation of CVE-2023-33538

Context / Why this matters
Unit 42 investigated real-world, automated scanning/probing activity attempting to exploit CVE-2023-33538 against end-of-life TP-Link Wi‑Fi routers:
- TL-WR940N v2, v4
- TL-WR740N v1, v2
- TL-WR841N v8, v10

They observed these campaigns around the time CISA added this CVE to the KEV catalog in June 2025. The payload...

🔧 Technical Details

Command injection via configuration fields that are later interpolated into shell commands
If a web-exposed configuration value (e.g., Wi‑Fi SSID) is accepted from an HTTP request and later embedded into a shell command string (example from the post: "iwconfig %s essid %s") without sanitization/escaping, an attacker can inject shell metacharacters in that field and achieve command execution when the firmware ultimately invokes the system shell (example sink from the post: execve("/bin/sh")). Reverse engineering should trace the full dataflow from request parsing (e.g., httpGetEnv()) through config apply functions to the execution wrapper (e.g., executeFormatCmd()/cgi.md as the single destination for this blog’s reusable technique. I added a router-focused subsection covering authenticated config-parameter command injection, the exact sink-tracing workflow from request parser to shell execution, session-token-in-URL plus cookie bootstrap patterns, and the practical BusyBox constraints that break generic wget/curl botnet chains. I also added the Unit 42 article to the file’s references at cgi.md.

I did not create a new file or add firmware-analysis cross-links because the strongest non-duplicative fit was the existing embedded web/CGI page, and keeping the content in one file matches the repo guidance. Verification: only src/network-services-pentesting/pentesting-web/cgi.md was modified.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> Pentesting Web -> Command Injection (add an embedded/IoT router subsection: authenticated command injection via config parameters + session-token-in-URL patterns) and optionally a cross-link from Hardware/Physical Access -> Firmware Analysis (firmware emulation + reversing httpd dataflow)".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0