The recent discovery of a new Mirai-based malware campaign targeting D-Link DIR-823X routers has raised concerns about the ongoing threat of botnets and the exploitation of vulnerabilities in end-of-life (EoL) devices. This campaign leverages a high-severity command-injection vulnerability, CVE-2025-29635, which was first disclosed 13 months ago by security researchers Wang Jinshuai and Zhao Jiangting. What makes this particular exploit concerning is that it's the first time in-the-wild active exploitation has been observed, indicating a shift in the tactics of cybercriminals. The Akamai SIRT's report highlights the active exploitation attempts in their global network of honeypots, emphasizing the real-world impact of this vulnerability. The exploit involves sending POST requests to a vulnerable endpoint, triggering remote command execution and ultimately installing a Mirai-based malware named 'tuxnokill'. This malware supports multiple architectures and features the standard DDoS attack repertoire, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null. What's more alarming is that the threat actor behind this campaign also exploits CVE-2023-1389, impacting TP-Link routers, and a separate RCE flaw in ZTE ZXV10 H108L routers, showcasing a pattern of widespread vulnerability exploitation. The affected D-Link DIR-823X routers reached EoL in November 2024, and it's likely that the latest firmware available does not address CVE-2025-29635. D-Link's stance of not making exceptions for active exploitation means a fix is unlikely to be provided. This situation underscores the importance of timely firmware updates and the need for users of EoL routers to take proactive measures. Users are advised to upgrade to newer models with active support and frequent security fixes, disable unnecessary remote administration portals, change default admin passwords, and monitor for unexpected configuration changes. The implications of this exploit extend beyond the immediate impact on D-Link routers, as it highlights the ongoing challenge of securing EoL devices and the potential for widespread botnet activity. The recent success of chaining four zero-days into one exploit that bypassed sandboxes further emphasizes the evolving nature of cyber threats. As the cybersecurity landscape continues to evolve, it becomes increasingly crucial for organizations and individuals to stay vigilant and adapt their security measures accordingly. The Autonomous Validation Summit, scheduled for May 12 & 14, provides an opportunity to explore innovative approaches to validation and remediation, offering a glimmer of hope in the ongoing battle against cyber threats.
