Technology

CVE-2023-50224

TP-Link WR841N router vulnerability exploited by APT28 to rewrite DNS settings and steal Microsoft 365 credentials.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How old is the TP-Link router bug that Russian intelligence is currently using?

Timeline for CVE-2023-50224

#117 Apr

F5 reclassifies DoS bug to 9.8 RCE

Cybersecurity: Threats and Defences

#117 Apr

Enabled APT28 to extract router credentials and modify DNS settings on TP-Link WR841N devices

Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 logins

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is CVE-2023-50224 and should I worry about it?: CVE-2023-50224 is a vulnerability in TP-Link WR841N routers that Russia's APT28 has exploited since 2024 to intercept Microsoft 365 logins. If you have a WR841N, update its firmware and change the default admin password.Source: NCSC PSA260407

Background

CVE-2023-50224 is a vulnerability in the TP-Link WR841N consumer router that APT28 has exploited since 2024 to extract router credentials and modify DNS configuration for adversary-in-the-middle Microsoft 365 credential and OAuth token harvesting. The NCSC advisory published on 7 April 2026 identified the CVE as part of the attribution-backed GRU Unit 26165 campaign.

The vulnerability allows an unauthenticated attacker (or one with access to the router's admin panel, which on many home deployments uses default credentials) to extract sensitive configuration data and modify DNS settings. APT28 uses the access to replace the primary DNS resolver with an attacker-controlled server running dnsmasq-2.85 on UDP 53, selectively routing only Microsoft 365 authentication domains to the attacker for credential interception.

For home-router owners whose hardware matches the affected models, the NCSC's mitigation guidance is: update router firmware to the latest version, change default admin credentials, and avoid exposing the admin interface to the internet. The 2023 publication date of the CVE and its confirmed ongoing exploitation in 2026 underscores the gap between vulnerability disclosure and patching in the consumer-router market.

How the World Sees Them

NCSC

A 2023 CVE in active state-actor exploitation in 2026 is evidence of the persistent patch gap in the consumer-router market; NCSC's remediation advice targets the firmware and credential factors directly.

Home router owners

Many WR841N deployments run default admin credentials and unpatched firmware; the combination of a public CVE and default credentials makes the attack accessible to actors with lower technical capability than APT28.