The Ballista botnet is actively exploiting a high-severity remote code execution (RCE) vulnerability—CVE-2023-1389—to infect TP-Link Archer AX-21 routers, according to a new report from Cato CTRL and detailed by Tom’s Hardware. Over 6,000 devices have been compromised so far, with infections primarily reported in Brazil, Poland, the UK, Bulgaria, and Turkey.
The flaw allows attackers to inject commands remotely, enabling the malware to execute arbitrary code and spread itself across the internet without user intervention. Although the vulnerability was first identified in April 2023, when it was used by the infamous Mirai Botnet, it continues to be exploited by newer malware strains such as Condi, AndroxGh0st, and now Ballista.
Cato CTRL’s researchers first detected Ballista’s activity on January 10, 2025, with the latest known exploitation attempt recorded on February 17, 2025. While the majority of infected routers are consumer-grade devices, the botnet has also targeted organizations in sensitive sectors, including manufacturing, healthcare, technology, and service industries—especially in countries like the United States, Australia, China, and Mexico.
The attack highlights ongoing risks from unpatched or poorly secured IoT and network devices, especially in home and enterprise settings. Experts strongly recommend that TP-Link Archer AX-21 owners update their firmware immediately and disable remote access features if they are not in use.
As the botnet continues to evolve, the situation underscores the broader challenge of securing internet-connected infrastructure, which remains a frequent target for cybercriminal operations aiming to build powerful, distributed attack networks.