CVE-2023-50224KEVEXPLOITED

tp-link · tl-wr841n_firmware

TP-Link TL-WR841N dropbearpwd Improper Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installat

Description

Forest Blizzard gained access to SOHO devices then altered their default network configurations to use actor-controlled DNS resolvers. This malicious re-configuration resulted in thousands of devices sending their DNS requests to actor-controlled servers. In most cases, the DNS requests appear to have been transparently proxied by the actor’s infrastructure, resulting in connections to the legitimate service endpoints without interruption. However, in a limited number of compromises, the threat actor spoofed DNS responses for specifically targeted domains to force impacted endpoints to connect to infrastructure controlled by the threat actor.

Affected Products

Vendor	Product	Versions
tp-link	tl-wr841n_firmware	CVE-2023-50224

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
tp-link	tl-wr841n	cve_cpe	95%

References

https://www.tp-link.com/en/support/download/tl-wr841n/v12/#Firmware(Product)
https://www.zerodayinitiative.com/advisories/ZDI-23-1808/(Third Party Advisory)
https://www.tp-link.com/en/support/download/tl-wr841n/v12/#Firmware(Product)
https://www.zerodayinitiative.com/advisories/ZDI-23-1808/(Third Party Advisory)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-50224(US Government Resource)

Related News (1 articles)

Tier D

SecurityWeek2d ago

US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV✅ Yes

Actively exploited✅ Yes

CWECWE-290, CWE-20

PublishedMay 3, 2024

Last enriched2d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2025-15605

A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated att

Trending: 4

HIGHCVE-2025-62501

SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. Th

Trending: 4

HIGHCVE-2025-15519

Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An

Trending: 4

HIGHCVE-2025-15518

Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An

Trending: 4

HIGHCVE-2025-62673

Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially c

Trending: 4

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

May 3, 2024

Added to CISA KEV

May 3, 2024

Actively Exploited

Oct 27, 2025

Exploit Available

Oct 27, 2025

Discovered by ZDM

Apr 1, 2026

Updated: affectedVersions, cweIds, tags

Apr 8, 2026

Updated: description, tags, iocs

Apr 8, 2026

Version History

Last enriched 2d ago

v3Tier D2d ago

Added a detailed description of the attack method and included new tags and IoCs related to the threat actor.

descriptiontagsiocs

via SecurityWeek

v2Tier D2d ago

Updated severity to HIGH, CVSS estimate to 7.5, added new affected version CVE-2023-50224, and included new IoCs and tags related to the espionage operation.

affectedVersionscweIdstags

via SecurityWeek

v18d ago

Initial creation