CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
Sigma rule (View on GitHub)
1title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
2id: 6c7defa9-69f8-4c34-b815-41fce3931754
3status: experimental
4description: |
5 Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
6references:
7 - https://www.tenable.com/security/research/tra-2023-11
8 - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py
9 - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
10author: Nasreddine Bencherchali (Nextron Systems), Rohit Jain
11date: 2024-06-25
12tags:
13 - detection.emerging-threats
14 - attack.initial-access
15 - attack.t1190
16 - cve.2023-1389
17logsource:
18 category: proxy
19detection:
20 selection_uri:
21 cs-method:
22 - 'GET'
23 - 'POST'
24 cs-uri|contains|all:
25 - '/cgi-bin/luci/;stok=/locale'
26 - 'form=country'
27 selection_keyword:
28 - 'operation=write'
29 - 'country=$('
30 condition: all of selection_*
31falsepositives:
32 - Vulnerability Scanners
33level: medium
References
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt