A large-scale cyberattack has compromised more than 6,000 TP-Link Archer AX-21 routers worldwide, with hackers exploiting a high-severity remote code execution (RCE) vulnerability, CVE-2023-1389. The attack, orchestrated by the Ballista botnet, was first detected by cybersecurity researchers at Cato CTRL and later detailed by Tom’s Hardware. The malware has rapidly spread across multiple countries, including Brazil, Poland, the UK, Bulgaria, and Turkey, raising alarms about the security of IoT and home networking devices.
The exploited vulnerability allows attackers to remotely inject and execute commands on the affected routers without requiring user intervention. This capability enables the botnet to spread autonomously, creating a vast network of compromised devices that cybercriminals can use for launching large-scale distributed denial-of-service (DDoS) attacks, credential theft, or further malware distribution. The flaw was initially identified in April 2023, when it was exploited by the infamous Mirai botnet. However, despite security patches being available, the vulnerability continues to be abused by new malware variants such as Condi, AndroxGh0st, and now Ballista.
Cato CTRL’s cybersecurity team first detected Ballista’s activities on January 10, 2025, with the most recent known exploitation attempt recorded on February 17, 2025. While most of the affected routers are consumer-grade devices used in residential settings, the botnet has also targeted enterprise environments. Organizations in critical sectors such as manufacturing, healthcare, technology, and service industries have reported infections, with notable cases emerging in the United States, Australia, China, and Mexico. This spread beyond personal devices suggests a growing trend of cybercriminals leveraging unpatched networking infrastructure to penetrate corporate networks.
The continued exploitation of CVE-2023-1389 highlights the persistent risks posed by unpatched IoT and networking devices. Cybersecurity experts strongly urge TP-Link Archer AX-21 owners to update their router firmware immediately and disable remote access features if they are not in use. While TP-Link has issued security patches to address this vulnerability, thousands of devices remain unpatched, leaving them susceptible to cyberattacks.
Beyond this specific incident, the growing reliance on internet-connected infrastructure has made home and enterprise networking equipment an attractive target for cybercriminal operations. Attackers are increasingly using botnets to compromise devices on a massive scale, turning them into nodes within larger cybercriminal networks capable of launching global cyberattacks.
Security analysts stress the importance of proactive cybersecurity measures, including regularly updating device firmware, disabling unnecessary remote management features, and using strong authentication methods. Organizations with a large number of connected devices should implement network monitoring tools to detect unusual activity and prevent unauthorized access.
As the Ballista botnet continues to evolve, it serves as a stark reminder of the vulnerabilities that exist in widely used networking devices. Cybersecurity threats are becoming more sophisticated, and unpatched devices remain one of the most significant risks to both individual users and businesses. The attack on TP-Link routers underscores the critical need for increased vigilance and timely security updates to safeguard internet-connected systems from malicious exploitation.
