
CVE-2023-50224
TP-Link WR841N router vulnerability exploited by APT28 to rewrite DNS settings and steal Microsoft 365 credentials.
Last refreshed: 20 May 2026 · Appears in 1 active topic
Why is a 2023 home-router flaw still giving Russia access to corporate Microsoft 365 accounts in 2026?
Timeline for CVE-2023-50224
Enabled unauthenticated VPN session establishment via IKEv1 logic flaw
Cybersecurity: Threats and Defences: VPN zero-day open a month pre-patchExploited in the wild against Magento stores before the federal deadline
Cybersecurity: Threats and Defences: Magento RCE forces 9-day patch raceExploited to break out of Linux containers and reach root on host systems
Cybersecurity: Threats and Defences: Old Linux container bug back in the wildExchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesMentioned in: Patch Tuesday clean streak hides out-of-band KEVs
Cybersecurity: Threats and DefencesWhat is CVE-2023-50224 and should I worry about it?
How does APT28 use hacked home routers to steal Microsoft 365 passwords?
Why are home routers still being used in state-level cyberattacks in 2026?
Background
CVE-2023-50224 is a vulnerability in the TP-Link WR841N consumer router that APT28 has exploited since 2024 to extract router credentials and modify DNS configuration for adversary-in-the-middle Microsoft 365 credential and OAuth token harvesting. The NCSC advisory published on 7 April 2026 identified the CVE as part of the attribution-backed GRU Unit 26165 campaign.
The vulnerability allows an unauthenticated attacker (or one with access to the router's admin panel, which on many home deployments uses default credentials) to extract sensitive configuration data and modify DNS settings. APT28 uses the access to replace the primary DNS resolver with an attacker-controlled server running dnsmasq on UDP 53, selectively routing only Microsoft 365 authentication domains to the attacker for credential interception. For home-router owners with affected models, NCSC's mitigation guidance is: update router firmware to the latest version, change default admin credentials, and avoid exposing the admin interface to the internet.
CVE-2023-50224 is a structural example of the consumer-router-as-enterprise-attack-surface pattern that recurs at every tier of the threat landscape. APT28's exploitation of a 2023-vintage consumer flaw on home hardware to reach corporate Microsoft 365 accounts sits in the same threat category as the Cisco SD-WAN CVE-2026-20182 (CVSS 10.0, exploited by UAT-8616 in May 2026) and the Exchange Server CVE-2026-42897 at the enterprise end of the same stack. The 2023 disclosure date and confirmed active exploitation in 2026 are evidence of the persistent patch gap in the consumer-router market: a three-year window between CVE publication and full remediation across deployed hardware, which state actors exploit precisely because consumer devices are not managed on enterprise patch cycles.