CVE-2023-1389

Confirmed PUBLISHED

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the...

TP-Link · TP-Link Archer AX21 (AX1800)
Exploited in the wild Active exploitation observed PoC available Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
93
Unique Attacker IPs
10
CISA KEV
In CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
8.8 High EPSS 100.0%

At a Glance

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

nessus_scanner cisa nuclei_scanner edge windows
CVE Published
Mar 15, 2023
Exploitation Reported
Apr 26, 2025
CVSS
8.8 High
EPSS
100.0%
Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
n/a
TP-Link Archer AX21 (AX1800)

All versions prior to version 1.14 Build 20230219

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.