From 666408318f17fbe10fdfd54c60368c5b94f9318f Mon Sep 17 00:00:00 2001
From: CharlesRN <125233614+CharlesRN@users.noreply.github.com>
Date: Fri, 19 Apr 2024 07:39:31 +0800
Subject: [PATCH] TP-Link Archer Routers Advisory (#651)

* Cisco Expressway Advisory

* Format markdown files

* Update 20240208003-Cisco-Expressway-Series-Cross_Site-Request-Forgery.md

changing of links

* Format markdown files

* Adobe Releases Security Updates

* Format markdown files

* Adobe Releases Security Updates

* Format markdown files

* Bricks WordPress Advisory

* Format markdown files

* Bricks WordPress

* Zyxel security advisory

* Format markdown files

* Linux Kernel Code Execution Vulnerability

* Format markdown files

* released a security advisory

* Format markdown files

* Update and rename 20240308004-Android-security-advisory.md to 20240308004-Android-security-advisory.md

Changed from 007 to 008

* Android security advisory 20240308004

* Format markdown files

* Fortinet Critical SQLi Vulnerability in FortiClientEMS

* Format markdown files

* Update 20240318003-Fortinet-Critical-SQLi-Vulnerability-in-FortiClientEMS-Software.md

Minor grammar fix and observability

* Format markdown files

* Firefox Patches Critical Zero-Day Vulnerabilities

* Format markdown files

* Firefox Patches Critical Zero-Day Vulnerabilities - 20240327003

* Format markdown files

* Update 20240327003-Firefox-Patches-Critical-Zero-Day-Vulnerabilities.md

add cvss column and minor fix to table

* Delete docs/advisories/20240326002-Firefox-Patches-Critical-Zero-Day-Vulnerabilities.md

no longer needed

* Format markdown files

* Supply Chain Compromise Affecting XZ Utils Data Compression Library - 20240402002

* Format markdown files

* Cisco Vulnerability in Small Business Routers

* Format markdown files

* Updated overview to include all Router series.

* Bitdefender Advisory

* Format markdown files

* TP-Link Archer Routers Advisory

* Format markdown docs

* Update 20240418003-Botnets-Swarm-Exploited-in-TP-Link-Archer-Routers.md

Fixing table

---------

Co-authored-by: GitHub Actions <actions@github.com>
Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com>
Co-authored-by: CharlesRN <CharlesRN@users.noreply.github.com>
---
 ...arm-Exploited-in-TP-Link-Archer-Routers.md | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 docs/advisories/20240418003-Botnets-Swarm-Exploited-in-TP-Link-Archer-Routers.md

diff --git a/docs/advisories/20240418003-Botnets-Swarm-Exploited-in-TP-Link-Archer-Routers.md b/docs/advisories/20240418003-Botnets-Swarm-Exploited-in-TP-Link-Archer-Routers.md
new file mode 100644
index 000000000..7004d5075
--- /dev/null
+++ b/docs/advisories/20240418003-Botnets-Swarm-Exploited-in-TP-Link-Archer-Routers.md
@@ -0,0 +1,25 @@
+# Botnets Swarm Exploited in TP-Link Archer Routers - 20240418003
+
+## Overview
+
+TP-Link Archer AX21 (AX1800) contains a command injection vulnerability in the web management interface within the 'Country' field. An attacker can leverage this vulnerability to execute arbitrary code in the context of root with a simple POST.
+
+## What is vulnerable?
+
+| Product Affected                                                           | CVE                                                             | Severity | CVSS |
+| -------------------------------------------------------------------------- | --------------------------------------------------------------- | -------- | ---- |
+| TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 | [CVE-2023-1389](https://nvd.nist.gov/vuln/detail/CVE-2023-1389) | **High** | 8.8  |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+## Additional References
+
+- [TP-Link Archer AX21 Command Injection (packetstormsecurity.com)](https://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.html)
+- [Unauthenticated Command Injection in TP-Link Archer AX21 (AX1800) (tenable.com)](https://www.tenable.com/security/research/tra-2023-11)
+- [Old Vulnerability, New Attacks (securityonline.info)](https://securityonline.info/old-vulnerability-new-attacks-botnets-swarm-exploited-cve-2023-1389-in-tp-link-routers/)