This investigation demonstrates that while active botnet attacks use flawed exploit code, the vulnerability remains a practical infection vector due to the widespread use of IoT default credentials.
The analysis revealed two key facts: although the observed attacks in the wild were flawed and would have failed, the underlying vulnerability is real. Furthermore, successful exploitation requires authentication on the router's web interface.
To determine the impact of these attacks, an exhaustive investigation was conducted by emulating the TP-Link TL-WR940N router. Through firmware emulation and reverse engineering, the exploits were analyzed to see if the payload could successfully execute on that device model.
The observed payloads are malicious binaries characteristic of Mirai-type botnets, designed to be downloaded and executed on vulnerable devices. This activity was observed after this CVE was included in CISA's Known Exploited Vulnerability (KEV) Catalog in June 2025.
Active scans and probes targeting vulnerability CVE-2023-33538 were identified, which affects several end-of-life TP-Link Wi-Fi router models, including the TL-WR940N v2 and v4.