Unpatched TP-Link Archer routers have been targeted by a new botnet campaign dubbed Ballista, according to new data obtained by the Cato CTRL team.🗞 “The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread automatically across the internet”, security researchers Ofek Vardi and Matan Mittelman wrote in a technical report.
CVE-2023-1389 is a high-severity security flaw affecting TP-Link Archer AX-21 routers that can lead to command injection, which subsequently opens the path to remote code execution.
The first evidence of active exploitation of this flaw dates back to April 2023, when unknown threat actors used it to distribute the Mirai botnet malware. Since then, it has also been used to distribute other malware families, such as Condi and AndroxGh0st.
