Zerobot now targets Tenda routers and n8n servers to spread Mirai-style malware
5 min. read 
Published on
Zerobot is back, and this time it is going after both consumer networking gear and business automation servers. Akamai said on February 27 that its SIRT team observed active exploitation of CVE-2025-7544 in Tenda AC1206 routers and CVE-2025-68613 in the n8n workflow platform, with the attacks used to fetch a shell script named tol.sh and then load a Mirai-based payload Akamai calls zerobotv9. Akamai says it first saw the activity in its honeypots in January 2026, although the broader campaign appears to date back to at least December 2025.
The headline risk is simple. A threat actor can use these bugs to turn exposed devices and servers into malware download points. That matters even more for n8n because, unlike a home router, an n8n server often sits close to databases, APIs, and internal systems. Akamai says that makes n8n targeting more dangerous than a typical IoT botnet hit because a successful compromise could help an attacker move deeper into an organization.
One important correction to the sample article: not both flaws are command injection bugs. NVD describes CVE-2025-7544 in the Tenda AC1206 as a stack-based buffer overflow in /goform/setMacFilterCfg via the deviceList parameter. The n8n issue, by contrast, is a critical remote code execution flaw in workflow expression evaluation.
What Akamai says Zerobot is exploiting
| CVE | Product | What it is | Current guidance |
|---|---|---|---|
| CVE-2025-7544 | Tenda AC1206 firmware 15.03.06.23 | NVD says this is a remote stack-based buffer overflow in /goform/setMacFilterCfg via deviceList. | Isolate or replace exposed devices, especially if they are internet-facing. Public sources do not show a clear vendor fix in the materials Akamai and NVD reference. |
| CVE-2025-68613 | n8n | GitHub says this is a critical RCE in workflow expression evaluation that can let an authenticated attacker run code as the n8n process. | Upgrade to n8n v1.122.0 or later. GitHub says earlier mitigations are only short-term. |
Akamai says the Tenda exploit chain used about 500 A characters in the deviceList parameter to trigger the flaw, then ran commands that downloaded tol.sh from 144.172.100.228. It observed the same general goal with the n8n exploit, which also fetched and executed tol.sh before pulling in the main botnet payload.
From there, the campaign looks like a classic Mirai-style spreader with a few newer touches. Akamai says tol.sh copies BusyBox into /tmp, downloads architecture-specific Zerobot binaries, and executes them across multiple CPU types. The researchers also found a hard-coded command-and-control domain, 0bot.qzz[.]io, inside the payload.
Why this Zerobot wave stands out
The Tenda side fits the usual botnet playbook. The n8n side does not. GitHub’s own advisory says the n8n bug can lead to full compromise of the instance, including access to sensitive data, workflow changes, and system-level operations. In other words, if a botnet operator finds an exposed and vulnerable n8n server, they are not just hijacking a simple appliance. They may gain a foothold on a server tied to business processes and internal credentials.
Akamai also says this version of Zerobot differs from the original 2022 strain. The new zerobotv9 sample is smaller, packed with UPX, includes encrypted strings, and is not written in Go like the first version Fortinet described in 2022. Akamai also says the malware now carries extra attack methods such as TCPXmas, Mixamp, SSH, and Discord, which suggests the operators have kept evolving the toolkit rather than simply recycling an older build.
Infection flow at a glance
- Attacker finds an exposed Tenda AC1206 router or vulnerable n8n instance.
- The exploit runs shell commands that fetch
tol.shfrom attacker-controlled infrastructure. tol.shdownloads architecture-specific Mirai payloads and executes them.- The infected device or server joins the botnet and can receive commands through
0bot.qzz[.]io.
What defenders should do now
| Action | Why it matters |
|---|---|
| Upgrade n8n to v1.122.0 or later | GitHub says that version adds safeguards for the expression evaluation flaw and earlier workarounds are only temporary. |
| Restrict workflow creation and editing in n8n | GitHub recommends limiting those permissions to fully trusted users if you cannot patch immediately. |
| Harden n8n host privileges and network access | GitHub says that reduces the impact if the flaw is abused. |
| Remove or isolate exposed Tenda AC1206 devices | The Tenda bug is remotely exploitable, and public exploit references already exist in NVD. |
Hunt for tol.sh, traffic to 144.172.100.228, and connections to 0bot.qzz[.]io | Akamai ties those artifacts directly to the campaign. |
FAQ
Zerobot is a Mirai-related botnet family first documented in 2022. Akamai says the latest campaign uses a new variant called zerobotv9 and actively exploits Tenda and n8n flaws to spread.
Yes. Akamai explicitly says it observed exploitation attempts against CVE-2025-68613 in n8n, and GitHub classifies that flaw as a critical RCE issue.
Not according to NVD. NVD describes CVE-2025-7544 as a stack-based buffer overflow. Akamai’s summary refers to command injection vulnerabilities, but the detailed NVD entry for the Tenda bug uses buffer overflow language.
GitHub says the flaw affects versions starting at 0.211.0 and that users should upgrade to 1.122.0 or later.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages