Mirai has updated its arsenal to include CVE-2023-1389. Zero Day Initiative cybersecurity experts: The flaw it’s still vulnerable and used by the botnet to attack devices in Eastern Europe and around the globe

The Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. Zero Day Initiative cybersecurity experts denounced it. The “Archer AX21 Wi-Fi router”, in fact, even if patched, is still vulnerable. The bug is an unauthenticated command injection vulnerability in the locale API available via the web management interface. This endpoint allows a user to specify the form we want to call by specifying the query string form along with an operation, usually read or write. In this instance, we are interested in the write operation on the country form, which is handled by the set_country function. This function will call merge_config_by_country that concatenates the specified country field into a command string. This command string will be executed using the popen function. There is no sanitization of the country field, so an attacker can achieve command injection at this point. Starting on April 11th, researchers began seeing that a threat actor had started to publicly exploit this vulnerability. Most of the initial activity was seen attacking devices in Eastern Europe, but now there are detections in other locations around the globe.