CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21

calendar Aug 12, 2024 · detection.emerging-threats attack.initial-access attack.t1190 cve.2023-1389  ·
Share on: linkedin copy

Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.

Sigma rule (View on GitHub)

 1title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
 2id: 6c7defa9-69f8-4c34-b815-41fce3931754
 3status: experimental
 4description: |
 5        Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
 6references:
 7    - https://www.tenable.com/security/research/tra-2023-11
 8    - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
 9    - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
10author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain
11date: 2024-06-25
12tags:
13    - detection.emerging-threats
14    - attack.initial-access
15    - attack.t1190
16    - cve.2023-1389
17logsource:
18    category: proxy
19detection:
20    selection_uri:
21        cs-method:
22            - 'GET'
23            - 'POST'
24        cs-uri|contains|all:
25            - '/cgi-bin/luci/;stok=/locale'
26            - 'form=country'
27    selection_keyword:
28        - 'operation=write'
29        - 'country=$('
30    condition: all of selection_*
31falsepositives:
32    - Vulnerability Scanners
33level: medium

References

Related rules

to-top