Mirai Botnet Exploits Critical Flaw in Discontinued D-Link Routers for DDoS Attacks

Executive Summary

A new Mirai botnet campaign is actively exploiting a high-severity remote command execution (RCE) vulnerability, CVE-2025-29635, in discontinued D-Link DIR-823X routers. Security researchers at Akamai detected the in-the-wild exploitation beginning in March 2026, over a year after the flaw was disclosed. Attackers are leveraging the vulnerability to download and execute a shell script (dlink.sh) from a malicious server (88.214.20.14), which then installs a Mirai variant called tuxnokill. The compromised routers are then added to a botnet controlled by a C2 server at 64.89.161.130:44300, ready to participate in distributed denial-of-service (DDoS) attacks. The affected routers reached their end-of-life (EoL) in November 2024, and D-Link has stated they will not be patched, underscoring the persistent threat of legacy IoT devices.

Vulnerability Details

• CVE ID: CVE-2025-29635
• CVSS Score: 8.8 (High)
• Vulnerability Type: Command Injection
• Attack Vector: A remote, unauthenticated attacker can execute arbitrary commands by sending a specially crafted POST request to the /goform/set_prohibiting endpoint on a vulnerable router.

This type of vulnerability is common in embedded devices and is trivial to exploit once discovered. It allows the attacker to gain full control over the device's operating system.

Affected Systems

• Product: D-Link DIR-823X series routers
• Firmware Versions: 240126 and 24082
• Status: End-of-Life (EoL) as of November 2024. No patches are available.

The same threat actor was also observed exploiting other known vulnerabilities, including CVE-2023-1389 in TP-Link routers and an RCE in ZTE ZXV10 H108L routers, as part of a broader campaign to build their botnet.

Exploitation Status

Akamai's honeypot network confirmed active, in-the-wild exploitation of CVE-2025-29635 starting in early March 2026. This is the first observed mass exploitation of this specific flaw. The attack chain is simple and automated:

1. Scanning: The botnet scans the internet for vulnerable D-Link routers.
2. Exploitation: (T1190 - Exploit Public-Facing Application) Upon finding a target, the attacker sends a malicious POST request to /goform/set_prohibiting to execute a command.
3. Payload Download: (T1105 - Ingress Tool Transfer) The injected command downloads the dlink.sh script from 88.214.20.14.
4. Installation: The script installs the tuxnokill Mirai variant.
5. C2 Connection: The malware connects to the C2 server at 64.89.161.130:44300 to receive commands.

Impact Assessment

The immediate impact is the compromise of the affected D-Link routers, adding them to a growing DDoS botnet. For the owners of these routers, this can result in poor network performance and their IP address being implicated in malicious activity. The broader impact is the increased availability of DDoS-for-hire services powered by this botnet. These attacks can be used to disrupt websites, online services, and corporate networks, leading to financial and reputational damage for the victims. This campaign is a classic example of how threat actors leverage a 'long tail' of unpatched, end-of-life IoT devices to build powerful and resilient botnets at a massive scale.

IOCs — Directly from Articles

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Detection Methods

• Network Intrusion Detection Systems (NIDS/NIPS): Use signatures to detect and block exploit attempts against CVE-2025-29635. Signatures should look for POST requests to the /goform/set_prohibiting URI path.
• Threat Intelligence: Ingest the provided IP IOCs into your firewall or SIEM to block and alert on any communication with the payload server or C2 server. This is a form of Network Traffic Analysis.
• Asset Inventory: Identify all D-Link DIR-823X routers on your network, including those used by remote workers. These devices should be considered inherently insecure.

Remediation Steps

Since the affected devices are end-of-life, no patch is available. The only effective remediation is removal and replacement.

1. Decommission and Replace: Immediately disconnect any D-Link DIR-823X routers from the internet. Replace them with a modern, supported device from a reputable manufacturer.
2. Network Isolation: If immediate replacement is not possible, isolate the device on a separate network segment with strict firewall rules, blocking all inbound traffic from the internet and all unnecessary outbound traffic. This is a temporary, high-risk workaround.
3. Password Management: For the replacement device, ensure the default administrator password is changed to a strong, unique password.
4. Consumer Education: This incident serves as a critical reminder for consumers and small businesses to avoid using old, unsupported networking equipment. Regularly check for end-of-life notices from vendors. This relates to D3FEND's Platform Hardening principles.