Ethical Hacking News
Mirai botnet variants are actively exploiting a command injection vulnerability in legacy D-Link routers, posing a significant threat to network security. The vulnerability, CVE-2025-29635, allows attackers to execute arbitrary commands on devices, compromising them with malware and other threats.
The Mirai botnet has been exploiting the CVE-2025-29635 vulnerability in D-Link DIR-823X series routers.The vulnerability allows attackers to inject commands into a command buffer, enabling remote command execution via a crafted POST request.Akamai's Security Intelligence and Response Team (SIRT) first identified this activity in March 2026.Similar request patterns are being used by threat actors to compromise devices.The vulnerability affects firmware versions 240126 and 24082 of D-Link DIR-823X series routers.A proof-of-concept (PoC) was published on GitHub, but later removed from CISA's catalog.Mirai botnet variants are being used to drop malware on affected devices.The persistence of Mirai campaigns is attributed to the reuse of leaked code, making it easier for new attackers to exploit vulnerabilities.Many organizations will continue to use vulnerable devices that have been retired, highlighting the need for regular vulnerability monitoring and patching.
The cybersecurity landscape has been increasingly marred by the exploits of Mirai botnets, which have become a significant concern for network administrators and security experts alike. In recent months, Akamai's Security Intelligence and Response Team (SIRT) has identified active exploitation of command injection vulnerability CVE-2025-29635 against D-Link DIR-823X series routers. Although these devices were discontinued in 2025, threat actors have been leveraging this flaw to deploy Mirai botnet variants, posing a significant threat to network security.
According to Akamai's report, the SIRT first identified this activity in their global network of honeypots in March 2026. This is the first reported active exploitation of these vulnerabilities since their initial disclosures in March 2025. The team has been monitoring the situation closely and has observed that threat actors are using similar request patterns to compromise devices.
The vulnerability, CVE-2025-29635, allows attackers to inject commands into a command buffer due to improper validation. An attacker-controlled value is copied without proper verification, making it possible for an attacker to execute arbitrary commands on the device. The vulnerability affects firmware versions 240126 and 24082 of D-Link DIR-823X series routers.
Security researchers Wang Jinshuai and Zhao Jiangting reverse engineered the firmware's sub_42232C function and discovered that attacker-controlled macaddr input is copied into a command buffer with snprintf and then passed to system(). This enables remote command execution via a crafted POST request to /goform/set_prohibiting. The researchers also published a proof-of-concept (PoC) on GitHub, which was later removed while the issue remained absent from CISA's Known Exploited Vulnerabilities catalog at the time of the report.
In early March 2026, Akamai SIRT observed active exploitation attempts using similar request patterns, including shell commands that fetch and execute malware from external infrastructure. The Mirai botnet variant, "tuxnokill," was identified as being used to drop malware on affected devices. This malware supports multiple architectures and uses XOR encoding (key 0x30) along with standard Mirai strings.
The actor also exploits CVE-2025-29635, CVE-2023-1389 (TP-Link AX21), and a ZTE ZXV10 H108L RCE. The persistence of Mirai campaigns can be attributed to the reuse of leaked code, which lowers the barrier to entry for new attackers seeking profit. While some threat actors reject AI, others increasingly adopt it to develop malware or discover vulnerabilities. This highlights both the growing risk in cybercrime and a valuable tool for defenders.
The report concludes that many organizations globally will improperly configure devices, fail to patch in a timely manner, or continue to use vulnerable devices that have been retired, such as the D-Link 823X series routers. It is essential for these organizations to regularly monitor vulnerability disclosures relevant to their infrastructure and apply proper patches, upgrades, and safeguards to ensure operational security.
Related Information:
https://www.ethicalhackingnews.com/articles/Mirai-Botnet-Exploits-Vulnerability-in-Legacy-D-Link-Routers-Posing-a-Significant-Threat-to-Network-Security-ehn.shtml
https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.html
https://www.akamai.com/blog/security-research/cve-2025-29635-mirai-campaign-targets-d-link-devices
https://undercodenews.com/mirai-botnet-exploits-cve-2025-29635-in-discontinued-d-link-routers-to-deploy-global-malware-campaign-video/
https://nvd.nist.gov/vuln/detail/CVE-2025-29635
https://www.cvedetails.com/cve/CVE-2025-29635/
https://nvd.nist.gov/vuln/detail/CVE-2023-1389
https://www.cvedetails.com/cve/CVE-2023-1389/
Published: Wed Apr 22 14:37:26 2026 by llama3.2 3B Q4_K_M
