If you have an older TP-Link router at home or in the office, such as the TL-WR940N TL-WR841N or TL-WR740N this news is straight for you. Hackers are incorporating these routers into a dangerous botnet army. And the most painful thing is that TP-Link itself is saying there will be no fix for these routers. Learn the whole story how this attack happens and what you can do.
The Unsecured Home Router Left Vulnerable for Years
There a small router in a corner of the house. Its lights keep blinking, the internet keeps working, and no one has paid attention to it in years. No updates, no password changes, the original admin is still running as admin. It seems like nothing.
But a report published by Palo Alto Networks Unit 42 research team on April 17, 2026 is a very bad time for anyone thinking this. The blinking lights on that router may not just be keeping your internet running but launching DDoS attacks on websites and servers around the world. And you don’t know anything.
Understanding This Vulnerability A Quick Breakdown
CVE-2023-33538 is a code that identifies a specific security flaw. The CVSS score is 8.8 out of 10 which puts it in the high severity category. In simple terms there is a place in the web management settings of some older TP-Link routers where the router uses incoming information without checking it.
This place is a specific section of the routers WiFi settings where the SSID i.e. the name of the WiFi network is set. Normally someone writes his WiFi name there like MyHome_WiFi. But if someone enters a command instead of just the name WiFi the router executes that command as if someone had directly given it a command like a computer. This is called command injection. The router doesn’t even realize that what it thought was WiFi was actually a hackers instruction.
Which TP-Link Routers Are Vulnerable
As you read this three TP-Link router models are directly affected by this flaw. TL-WR940N versions 2 and 4 TL-WR740N versions 1 and 2 and TL-WR841N versions 8 and 10. All of these models were very popular in Pakistan, India, and around the world because they were cheap and reliable.
But they have all reached end of life meaning TP-Link will not release any new updates or security patches for them. If you have any of these models installed in your home or office, then technically you are using a machine that hackers attacked yesterday they are still attacking today and there is no permanent fix in sight.
Understanding the Full Exploitation Process
Unit 42 researchers Asher Davila, Malav Vyas, and Chris Navarrete analyzed this attack step by step in their April 2026 research. First the attacker uses an automated script that searches the Internet for routers with publicly accessible web interfaces.
When such a router is found the script sends a specifically crafted HTTP GET request that is a web request to a specific address of the router: /userRpm/WlanNetworkRpm. This request contains commands hidden inside the ssid parameter instead of the normal WiFi name.

These commands are something like this First download a file named arm7 from IP address 51.38.137.113 using the wget command then make that file executable, and then run it directly. And one important thing in this request and the default password of admin:admin is written in Base64 encoding which means hackers assume that you have never changed the password. And in many cases this assumption turns out to be correct.
Mirai vs Condi The Botnet Behind Global Router Attacks
The file that gets downloaded arm7 is not an ordinary malware. It is a variant of the Condi botnet that belongs to the Mirai family. The name Mirai must have been heard by those who remember the massive internet outage of 2016 when Amazon Twitter, Reddit Netflix and dozens of major websites went down simultaneously.
All of that happened because of a Mirai botnet attack. Mirais job is to infect home routers, cameras, smart devices and make them part of a single army. Then this army simultaneously sends so many requests to a website or server that the server crashes.
This is called a DDoS Distributed Denial of Service attack. Condi is a new member of this family and first reported by Fortinet in 2023. Condis operator operates under the alias zxcr9999 on Telegram and offers DDoS-as-a-service from his botnet on a channel called Condi Network meaning anyone could pay to have the Condi botnet attack any website.
From File Execution to Botnet Control The Hidden Risk
When the arm7 file is run on the router it immediately connects to a C2 server i.e., a command and control server whose domain has been confirmed as cnc.vietdediserver.shop. This server is the hackers headquarters. From there the infected router receives instructions on when to attack which target to target and how to attack.
The malware can also update itself and supports multiple CPU architectures and meaning it is not limited to just one router model.

Once a router is infected it becomes a zombie that executes every command of the hacker. A single router may not be very powerful, but when millions of such zombies work together they can disable any website in minutes. And during all this your home internet may slow down because your router is attacking others in the background.
There an important nuance to Unit 42s research thats a bit confusing everywhere. The researchers stated that the exploit code for the attacks observed in the wild was technically flawed and couldn’t directly compromise the router. But there a but. That flawed exploit only fails if authentication works correctly. If the router’s default password is admin/admin or any weak password, which is still the case on millions of routers worldwide, the exploit works perfectly.
The researchers conducted their own tests by emulating the routers firmware and confirmed that the underlying vulnerability is absolutely real. Meaning those who are saying this attack fails are not telling the truth. It only fails if the routers password is strong. If the password is the default which is very common the attack works perfectly.
244 IPs Global Spread A Widespread Attack Network
This is not a small isolated attack. According to Hacker News reporting, when CISA added this vulnerability to its Known Exploited Vulnerabilities list in June 2025, automated scanning and exploitation attempts were observed from 244 unique IP addresses, and this activity was targeting devices in the United States, United Kingdom, Spain, Germany, and India.
Pakistan is not directly mentioned but older TP-Link models commonly used here the TL-WR840N and TL-WR841N are present in billions of homes and offices in Pakistan. Meaning, the pool of potential victims is quite large here too.
Mirai Malware : From Home Routers to Critical Infrastructure Risks
This vulnerability also has another disturbing connection. In December 2024 Unit 42 analyzed a malware called FrostyGoop that targets operational technology namely, power grids and industrial control systems. That analysis found an IP address associated with a TP-Link WR740N router that someone used to access an ENCO industrial control device.
Direct proof wasn’t found but this connection suggests that these routers are not just limited to home internet and they could also be used as stepping stones to industrial and critical infrastructure attacks. A simple home router if infected can become a link on its way to a factory or power grid.
TP-Links official statement is straightforward. The company confirmed that all these devices are end-of-life and no official security patch will be released. They recommend that customers replace these devices and not use the default credentials.
It also came to light from a different source that TP-Link has kept some patches available on its tech support platform since 2018 but these are not automatic updates, requiring customers to contact them manually. Very few people do this. Practically speaking if your router is among the affected models there is no automatic fix no notification no official warning. Only sources like this article can tell you that the threat is real.
What You Should Do
The most important thing is to check your router model. There is a sticker on the back or bottom of the router with the model number. If it says TL-WR940N, TL-WR740N or TL-WR841N then you are in the category of directly affected devices. First, if possible, make the routers web management interface not directly accessible from the internet i.e. turn off remote access.
Second change the default password admin/admin right now. Keep a strong and unique password. Third and most effective thing is to replace this router. These are devices from before 2017 using them in 2026 is like living in a house with the doors completely open.
New routers are affordable and receive automatic security updates. Fourth if you have IoT devices like cameras or smart TVs keep them on a separate network segment or guest WiFi from the router so that even if the router gets infected and it cannot reach other sensitive devices.
Final Thought
The biggest lesson in this whole story isn’t that the TP-Link router is faulty. The lesson is that there are millions of devices around the world that are never updated, whose default passwords are never changed and which people assume are secure simply because they are working. Hackers take advantage of these ideas..
A router thats silently joined a botnet appears to function perfectly normal. The internet works, the lights blink, and there are no errors. But behind the scenes its attacking others. And when law enforcement or your ISP notices one day the IP address will be yours. Therefore home or office network security is not a technical issue and it is a basic responsibility.