CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21

    Wednesday, August 28, 2024 In: Threat Research Print

    Date: 08/28/2024

    Severity: Medium

    Summary

    Detects potential exploitation attempts of CVE-2023-1389, an unauthenticated command injection vulnerability in the TP-Link Archer AX21.

    Indicators of Compromise (IOC) List

    cs-method

    'GET'

    'POST'

    cs-uri

    '/cgi-bin/luci/;stok=/locale'

    'form=country'

    'operation=write'

    'country=$('

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (resourceName = "BlueCoat ProxyClient"  AND proxycsmethod in ("GET","POST" ) ) AND proxycsuripath In ("/cgi-bin/luci/;stok=/locale" , "form=country" , "operation=write" , "country=$(")

    Detection Query 2

    (Technologygroup = "EDR"  AND proxycsmethod in ("GET","POST" ) ) AND proxycsuripath In ("/cgi-bin/luci/;stok=/locale" , "form=country" , "operation=write" , "country=$(")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml 

    https://www.tenable.com/security/research/tra-2023-11  https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py   https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal


    Tags

    SigmaMalware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.