Why it matters: The US government's Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog and warned that they are being actively exploited in the wild. One of those vulnerabilities affects the TP-Link Archer AX21 (AX1800) WiFi router, and is being exploited by operators of the Mirai malware botnet.

Alongside the TP-Link router exploit, the two other vulnerabilities placed on the CISA's list include the Oracle WebLogic Server Unspecified Vulnerability tracked as CVE-2023-21839 and the Apache Log4j2 Deserialization of Untrusted Data Vulnerability, tracked as CVE-2021-45046. According to the agency, all three types of vulnerabilities are frequent attack vectors for cybercriminals and pose "significant threat" to users.

The TP-Link router exploit was first detected at the Pwn2Own Toronto hacking event last December, where two different teams were able to breach the device using the LAN and WAN interfaces. The issue was reported to TP-Link in January and the company released a patch for it last month.

In a statement addressing the issue, TP-Link said that it takes security vulnerabilities "very seriously" and works diligently to mitigate any flaw that could jeopardize the security and privacy of its customers. The company also urged all users of the AX21 router to download and install the update as soon as possible.

As per the National Vulnerability Database (NVD), TP-Link's Archer AX21 Wi-Fi 6 routers with firmware versions prior to 1.1.4 Build 20230219 contained an unauthenticated command injection vulnerability which allowed surreptitious remote code execution, enabling hackers to take over the device and use it for distributed denial-of-service (DDoS) attacks against game servers.

However, despite the fix being available, Trend Micro's Zero Day Initiative (ZDI) research group has found that cybercriminals are exploiting the vulnerability in the wild. As per the report, the attacks were first detected on April 11 in Eastern Europe, but have since spread worldwide.

Operators of the Mirai botnet are known for quickly exploiting vulnerabilities in IoT devices, so it's not a major surprise for researchers that they have been able to start targeting the latest flaw so soon after it was disclosed publicly. Either way, applying the patch is the only way to mitigate the vulnerability, so all TP-Link Archer AX21 owners should do it as soon as possible to prevent any possible security risk.