Find notable cyber news and cases, enriched with sources, timelines, and signals.

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The Mirai-based malware campaign is actively exploiting CVE-2025-29635 against D-Link DIR-823X routers, turning vulnerable devices into botnet nodes. The activity matters because the flaw enables remote command execution through a POST request to /goform/set_prohibiting, giving attackers direct control of exposed routers. First seen in early March 2026, the operation downloads dlink.sh and installs the Mirai payload tuxnokill. The same attack pattern was also observed abusing CVE-2023-1389 and a ZTE ZXV10 H108L RCE flaw.

Related Happenings

DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)

Vulnerability
H score45 First: 07.06.2026 17:17 Last: 07.06.2026 17:17 Sources 1

About this happening: **DD-WRT router firmware** is affected by **CVE-2021-27137**, a **buffer overflow** now being used by **C0XMO** to deliver malware and enable **unauthenticated remote code executi...

Universal Robots PolyScope 5 Dashboard Server command injection (CVE-2026-8153)

Vulnerability
H score24 First: 20.05.2026 19:12 Last: 20.05.2026 19:12 Sources 1

About this happening: **CVE-2026-8153** patches a **critical command injection** flaw in **Universal Robots PolyScope 5 Dashboard Server** that could let an **unauthenticated attacker** execute command...

Weaver E-cology 10.0 unauthenticated RCE flaw (CVE-2026-22679)

Vulnerability
H score46 First: 05.05.2026 01:12 Last: 05.05.2026 01:12 Sources 1

About this happening: **CVE-2026-22679** exposed **Weaver E-cology 10.0** to unauthenticated remote code execution on builds prior to **March 12**, allowing attackers to run system commands on the serv...

Latest development: 05.05.2026 10:37

Evidence of active abuse against Weaver (Fanwei) E-cology CVE-2026-22679 dates to March 17, 2026, with QiAnXin also saying it reproduced the unauthenticated remote code execution flaw that day in its alert.

D-Link DIR-823X command-injection RCE (CVE-2025-29635)

Vulnerability
H score40 First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

How related: This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution.

About this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...

TBK DVR command injection flaw actively exploited (CVE-2024-3721)

Vulnerability
H score1 First: 20.04.2026 16:01 Last: 20.04.2026 16:01 Sources 1

About this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...

Timeline

  1. 22.04.2026 23:04 2 articles · 2mo ago

    Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

    Initial Disclosure

    In **early March 2026**, honeypots began seeing exploitation attempts against **CVE-2025-29635** on **D-Link DIR-823X routers**. The initial phase consisted of POST-based command-execution attempts that fetched **dlink.sh** and prepared devices for Mirai payload installation.

    Show sources