New research from Cato CTRL, as reported by Tom’s Hardware, reveals that the Ballista botnet is actively exploiting a high-severity remote code execution (RCE) vulnerability—CVE-2023-1389 to infect TP-Link Archer AX-21 routers. The attack has primarily impacted devices in Brazil, Poland, the UK, Bulgaria, and Turkey, with over 6,000 routers compromised so far.
This vulnerability lets malicious actors remotely inject commands, which in turn gives the malware the ability to execute code at will and propagate across the internet without the user’s knowledge or consent. Newer malware variants like Condi, AndroxGh0st, and now Ballista continue to exploit the vulnerability, even though it was initially reported in April 2023 when the notorious Mirai Botnet leveraged it.
On January 10, 2025, researchers from Cato CTRL first noticed that Ballista was active; on February 17, 2025, they documented the most recent known effort at exploitation. Even though most infected routers are consumer-grade equipment, the botnet has also hit vital industries including healthcare, manufacturing, technology, and services, particularly in nations like Mexico, China, and the US.
This attack once again shows how dangerous it is to use unpatched or improperly secured Internet of Things (IoT) and network devices, particularly in residential and business environments. When not in use, disable the remote access functions and upgrade the firmware on your TP-Link Archer AX-21 promptly, according to experts.
The incident highlights the larger challenge of protecting internet-connected infrastructure, which is often targeted by cybercriminals who want to create strong, spread attack networks, as the botnet keeps changing.
