Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

DD-WRT router firmware buffer overflow remote code execution flaw (CVE-2021-27137)

Vulnerability
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

DD-WRT router firmware is affected by CVE-2021-27137, a buffer overflow now being used by C0XMO to deliver malware and enable unauthenticated remote code execution. The flaw expands risk for internet-facing routers because exploitation does not require credentials. Successful abuse can turn exposed devices into botnet nodes and give attackers arbitrary code execution on the device.

Related Happenings

C0XMO Gafgyt botnet activity on DD-WRT routers

Malware Activity
First: 07.06.2026 17:17 Last: 07.06.2026 17:17 Sources 1

How related: Fundamentally, C0XMO remains a malware for launching distributed denial-of-service (DDoS) attacks and supports 19 methods, including UDP/TCP/SYN/ICMP floods, “ping of death,” NTP/Memcached amplification, Discord voice UDP floods, and Valve-specific floods.

About this happening: The **C0XMO** botnet is spreading through **DD-WRT router firmware** and other internet-facing devices, increasing the pool of systems available for **DDoS** attacks. It exploits...

Open Happening

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

Nexcorium Mirai botnet activity on TBK DVR devices

Malware Activity
First: 18.04.2026 09:01 Last: 18.04.2026 09:01 Sources 1

About this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...

Open Happening

Digiever DS-2105 Pro active exploitation wave (CVE-2023-52163)

Exploitation Wave
First: 25.12.2025 10:07 Last: 25.12.2025 10:07 Sources 1

About this happening: **CVE-2023-52163** is being exploited at scale against **Digiever DS-2105 Pro NVRs**, with multiple reports linking abuse to **Mirai** and **ShadowV2** botnet delivery. The flaw i...

Open Happening

Timeline

  1. 07.06.2026 17:17 2 articles · 3h ago

    Fortinet uncovers C0XMO Gafgyt variant targeting DD-WRT routers

    Technical Analysis Update

    Fortinet researchers identified C0XMO, a new Gafgyt variant that targets DD-WRT router firmware through CVE-2021-27137 and can spread across multiple CPU architectures including ARM, MIPS, PowerPC, SuperH, x86, and x86_64. The malware supports 19 DDoS methods, brute-forces SSH and Telnet credentials, downloads a Python-based scanner with requests, paramiko, and beautifulsoup4, persists with cron jobs and shell startup changes, terminates competing malware and tools, and uses a hardcoded C2 handshake to await commands.

    Show sources
    Open in new tab