Mirai Botnet Targets End-of-Life D-Link Routers Through RCE Flaw

A new Mirai-based campaign is actively exploiting CVE-2025-29635, a command injection flaw in D-Link DIR-823X routers, to infect exposed devices and add them to a botnet. Akamai’s Security Intelligence and Response Team detected the activity in its honeypots in early March 2026, roughly a year after the vulnerability was first disclosed.

The flaw affects D-Link DIR-823X firmware versions 240126 and 240802. It allows an authorized attacker to execute arbitrary commands by sending a crafted POST request to the /goform/set_prohibiting endpoint.

The bigger issue is support status. D-Link lists the DIR-823X as an end-of-life and end-of-service product, with all hardware revisions no longer supported. D-Link says firmware development stops for EOL products and recommends retiring and replacing affected devices.

How attackers are exploiting the D-Link flaw

Akamai says the campaign sends POST requests that move through writable directories, download a shell script named dlink.sh, and execute it on the device. That script installs a Mirai-based malware variant called tuxnokill, which supports multiple device architectures.

Once installed, the malware gives attackers control over the router for botnet activity. Akamai says the variant includes typical Mirai distributed denial-of-service capabilities, including TCP SYN, TCP ACK, TCP STOMP, UDP floods, and HTTP null attacks.

The campaign also shows that older public vulnerabilities remain valuable to botnet operators. The researchers who originally reported CVE-2025-29635 briefly published proof-of-concept exploit code on GitHub before removing it, but the vulnerability details stayed public.

At a glance

Item	What current reporting shows
Malware family	Mirai-based botnet
Variant name	tuxnokill
Main vulnerability	CVE-2025-29635
Affected device	D-Link DIR-823X routers
Affected firmware	240126 and 240802
Vulnerability type	Command injection
Exploited endpoint	/goform/set_prohibiting
First public disclosure	March 2025
Active exploitation seen	Early March 2026
Support status	End-of-life and end-of-service
Main risk	Router takeover and DDoS activity

CISA adds CVE-2025-29635 to KEV

CISA added CVE-2025-29635 to its Known Exploited Vulnerabilities catalog on April 24, 2026, after evidence of active exploitation. The agency set a May 8, 2026 deadline for U.S. federal civilian agencies to apply mitigations or discontinue use if mitigations are unavailable.

The KEV entry describes the issue as a D-Link DIR-823X command injection vulnerability. CISA’s required action tells agencies to follow vendor guidance or stop using the product when no mitigation is available.

That guidance matters for home users and small businesses too. If a router has reached end of life and receives no firmware fixes, the safest long-term step is replacement, especially when attackers are already exploiting the flaw.

Attackers also target TP-Link and ZTE routers

Akamai says the same activity did not stop with D-Link. The threat actor behind the campaign also exploited CVE-2023-1389 in TP-Link routers and a separate remote code execution flaw in ZTE ZXV10 H108L routers.

The same pattern appeared across these targets. Attackers used router flaws to run commands, download malware, and deploy a Mirai payload.

That pattern fits Mirai’s long-running strategy. Botnet operators look for internet-exposed routers, cameras, DVRs, and other embedded devices that users rarely patch or replace.

Why end-of-life routers are a major risk

End-of-life routers create a simple opening for attackers. The devices often remain online for years, but vendors no longer provide security updates or customer support.

D-Link’s advisory says EOL devices normally receive no further extended support or firmware development. It also warns that continued use of retired devices may create risk for other connected devices.

That risk becomes worse when a vulnerability enters active exploitation. A router sits at the edge of a home or office network, so compromise can affect internet access, traffic routing, and future attacks against other targets.

What users should do now

• Replace D-Link DIR-823X routers with a supported model.
• Disable remote administration if it is enabled.
• Change the router admin password from the default.
• Update to the latest available firmware if replacement cannot happen immediately.
• Check for unknown DNS, port forwarding, or admin account changes.
• Reboot the device after reviewing settings, but do not rely on rebooting as a fix.
• Place management access behind a trusted local network only.
• Monitor for unusual outbound traffic or bandwidth spikes.

What administrators should watch for

Network defenders should look for POST requests to /goform/set_prohibiting, downloads of dlink.sh, and outbound connections to suspicious infrastructure linked to Mirai payload delivery. Akamai published indicators of compromise with its analysis to help defenders identify related activity.

Administrators should also review exposed router management interfaces. Internet-facing admin panels create unnecessary risk, especially for retired devices with known command injection flaws.

For organizations, the policy should be direct. Routers, VPN appliances, firewalls, and edge devices need a lifecycle plan, not just passwords and occasional reboots.

FAQ