Active Exploitation of Discontinued D-Link Hardware
Security researchers at Akamai have identified an active Mirai botnet campaign targeting D-Link routers that are no longer supported by their manufacturer. The vulnerability at the center of these attacks, tracked as CVE-2025-29635, was first disclosed approximately one year ago and affects D-Link DIR-823X series router firmware versions 240126 and 24082.
Because the affected devices have been discontinued, D-Link will not be releasing patches to address the flaw. Owners of these routers are left with no vendor-supported remediation path, making the ongoing attacks particularly concerning for anyone still running the hardware.
How the Vulnerability Works
CVE-2025-29635 is a command injection flaw rooted in a fundamental lack of input validation. According to Akamai, an attacker-controllable function value is copied directly into a command buffer without any sanitization checks. Exploitation is straightforward: a threat actor sends a specially crafted HTTP POST request to the device.
As Akamai explains it:
"The router extracts the value that ends up in the command buffer from the request body without checking which form field it came from."
This design oversight means that an attacker can inject arbitrary shell commands simply by manipulating the body of a POST request, with no need to authenticate or perform complex exploitation steps.
Connection to a GitHub Proof-of-Concept
The exploitation attempts observed by Akamai closely mirror a proof-of-concept (PoC) exploit that was published on GitHub sometime last year. That PoC has since been removed from the platform, but not before threat actors apparently studied and replicated its approach. Researchers noted that the observed attacks target the same code path and trigger the same system call as the removed PoC, suggesting the attackers modeled their tooling directly on the public exploit.
Mirai Payload Characteristics
Once the vulnerability is triggered, the attack chain proceeds with the loading of a shell script designed to download and execute a payload. Akamai identified several hallmarks that classify this payload as a Mirai variant:
- XOR encoding used to obfuscate strings and evade basic detection
- A hardcoded console execution string embedded within the binary
- A hardcoded downloader IP address used to retrieve additional components
These characteristics are consistent with well-documented Mirai derivatives that have circulated in the threat actor community for years. Akamai's analysis suggests the campaign's authors did not rely on AI-assisted or so-called "vibe coding" techniques to construct their payload, instead building on the long-established Mirai codebase.
Broader Targeting Activity
The DIR-823X campaign is not the only infrastructure the threat actors have been probing. Akamai reports that the same attackers have also been observed targeting vulnerabilities in TP-Link and ZTE routers, indicating a broader strategy of exploiting weaknesses across multiple consumer and small-business networking device brands.
D-Link's Warning to Users
D-Link issued a stark advisory in September, urging customers to decommission any DIR-823X series devices still in use. The company stated:
"D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it."
Despite this warning, a portion of the installed base apparently remains active and internet-connected, providing the Mirai botnet operators with a ready pool of vulnerable targets.
The Persistent Threat of Mirai-Based Botnets
Akamai researchers placed the campaign within the broader context of the Mirai ecosystem, which has proven remarkably durable since its original source code was leaked years ago. The firm noted:
"Mirai malware campaigns continue to plague the industry, with much of the original source code continuing to be reused by various threat actors, both skilled and unskilled. The low barrier of entry and potential financial benefits are some of the incentives that may entice individuals to enter the botnet space and become a cyberthreat actor."
The observation underscores a persistent challenge for defenders: the Mirai source code democratized botnet construction, allowing even relatively inexperienced actors to launch large-scale distributed denial-of-service (DDoS) campaigns and other botnet-driven attacks. End-of-life devices, which manufacturers no longer patch, represent an especially attractive target because they offer a stable, undefended attack surface that persists indefinitely.
Recommendations for Affected Users
For anyone operating a D-Link DIR-823X series router, the guidance is unambiguous: the device should be replaced immediately. Given that firmware versions 240126 and 24082 are both affected and no patch will be forthcoming, continued use of these routers exposes not only the device itself but every other system on the connected network to potential compromise. Users should consider upgrading to actively supported hardware from any vendor and ensure that routers are configured to restrict remote management interfaces from being exposed to the public internet.
Source: SecurityWeek