D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-29635 is now being actively exploited on D-Link DIR-823X routers, turning a command-injection flaw into remote command execution and botnet enrollment risk. The vulnerability affects firmware versions 240126 and 24082 and is triggered with POST requests to /goform/set_prohibiting. The impact is higher because the affected routers are end of life, limiting the chance of a vendor fix.
Related Happenings
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
How related:
A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignHow related: A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.
About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
FCC bans new foreign-made consumer routers
Public Sector Action
First: 25.03.2026 09:11
Last: 25.03.2026 09:11
Sources 1
About this happening:
The U.S. Federal Communications Commission banned the import of new foreign-made consumer routers after concluding they pose unacceptable cyber and national security risks to U.S....
FCC bans new foreign-made consumer routers
Public Sector ActionAbout this happening: The U.S. Federal Communications Commission banned the import of new foreign-made consumer routers after concluding they pose unacceptable cyber and national security risks to U.S....
Latest development: 26.03.2026 21:48
The FCC's March 23 ban on new foreign-made consumer-grade routers may leave U.S. consumers and small businesses using older devices longer, while businesses replacing network gear could face a more constrained and potentially more expensive market with fewer approved options and longer procurement cycles.
CISA urgent mitigation order for Cisco FMC CVE-2026-20131
Advisory/Mitigation
First: 23.03.2026 12:30
Last: 23.03.2026 12:30
Sources 1
About this happening:
**CISA** ordered **federal civilian agencies** to patch **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** within **three days** or discontinue use if mitigat...
CISA urgent mitigation order for Cisco FMC CVE-2026-20131
Advisory/MitigationAbout this happening: **CISA** ordered **federal civilian agencies** to patch **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** within **three days** or discontinue use if mitigat...
Timeline
-
22.04.2026 23:04 2 articles · 1mo ago
Akamai reports active Mirai exploitation of D-Link DIR-823X routers
Initial DisclosureAkamai SIRT reports active exploitation attempts against D-Link DIR-823X series routers vulnerable to CVE-2025-29635, with attackers sending POST requests to /goform/set_prohibiting, changing directories across writable paths, downloading dlink.sh from an external IP, and executing it to install the Mirai-based payload tuxnokill. The campaign is also linked to exploitation of CVE-2023-1389 on TP-Link routers and a separate RCE flaw in ZTE ZXV10 H108L routers, with Mirai DDoS capabilities including TCP SYN/ACK/STOMP, UDP floods, and HTTP null.
Show sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04