Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
Summary
Hide ▲
Show ▼
The Mirai-based malware campaign is actively exploiting CVE-2025-29635 against D-Link DIR-823X routers, turning vulnerable devices into botnet nodes. The activity matters because the flaw enables remote command execution through a POST request to /goform/set_prohibiting, giving attackers direct control of exposed routers. First seen in early March 2026, the operation downloads dlink.sh and installs the Mirai payload tuxnokill. The same attack pattern was also observed abusing CVE-2023-1389 and a ZTE ZXV10 H108L RCE flaw.
Related Happenings
Universal Robots PolyScope 5 Dashboard Server command injection (CVE-2026-8153)
Vulnerability
First: 20.05.2026 19:12
Last: 20.05.2026 19:12
Sources 1
About this happening:
**CVE-2026-8153** patches a **critical command injection** flaw in **Universal Robots PolyScope 5 Dashboard Server** that could let an **unauthenticated attacker** execute command...
Universal Robots PolyScope 5 Dashboard Server command injection (CVE-2026-8153)
VulnerabilityAbout this happening: **CVE-2026-8153** patches a **critical command injection** flaw in **Universal Robots PolyScope 5 Dashboard Server** that could let an **unauthenticated attacker** execute command...
Weaver E-cology 10.0 unauthenticated RCE flaw (CVE-2026-22679)
Vulnerability
First: 05.05.2026 01:12
Last: 05.05.2026 01:12
Sources 1
About this happening:
**CVE-2026-22679** exposed **Weaver E-cology 10.0** to unauthenticated remote code execution on builds prior to **March 12**, allowing attackers to run system commands on the serv...
Weaver E-cology 10.0 unauthenticated RCE flaw (CVE-2026-22679)
VulnerabilityAbout this happening: **CVE-2026-22679** exposed **Weaver E-cology 10.0** to unauthenticated remote code execution on builds prior to **March 12**, allowing attackers to run system commands on the serv...
Latest development: 05.05.2026 10:37
Evidence of active abuse against Weaver (Fanwei) E-cology CVE-2026-22679 dates to March 17, 2026, with QiAnXin also saying it reproduced the unauthenticated remote code execution flaw that day in its alert.
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
How related:
This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution.
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityHow related: This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution.
About this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TP-Link router authenticated command injection (CVE-2023-33538)
Vulnerability
First: 20.04.2026 10:50
Last: 20.04.2026 10:50
Sources 1
About this happening:
**CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
TP-Link router authenticated command injection (CVE-2023-33538)
VulnerabilityAbout this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
Timeline
-
22.04.2026 23:04 2 articles · 1mo ago
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Initial DisclosureIn **early March 2026**, honeypots began seeing exploitation attempts against **CVE-2025-29635** on **D-Link DIR-823X routers**. The initial phase consisted of POST-based command-execution attempts that fetched **dlink.sh** and prepared devices for Mirai payload installation.
Show sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04
- New Mirai campaign exploits RCE flaw in EoL D-Link routers — www.bleepingcomputer.com — 22.04.2026 23:04