Mirai Botnet Exploits End-of-Life D-Link Routers via RCE

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-inteldata-breachmalwarevulnerability
Mirai Botnet Exploits End-of-Life D-Link Routers via RCE

A new Mirai botnet campaign is actively exploiting a critical command injection vulnerability (CVE-2025-29635) in end-of-life D-Link DIR-823X routers. BleepingComputer reports that this flaw allows attackers to remotely execute code, enlisting these compromised devices into the Mirai botnet for launching distributed denial-of-service (DDoS) attacks.

This campaign highlights a persistent threat: the exploitation of unpatched, legacy devices. Organizations still running these vulnerable D-Link routers, especially those exposed to the internet, are prime targets. Defenders must prioritize identifying and decommissioning or isolating end-of-life hardware to prevent it from becoming a pivot point for botnets.

What This Means For You

  • If your organization has deployed D-Link DIR-823X routers, immediately conduct an inventory of all network devices to identify any still in use. Isolate or decommission any identified units from the network and verify they are not publicly accessible. Prioritize upgrading to supported hardware to eliminate this known RCE vector.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.004 Web Protocols Command and Control T1059.004 Command and Scripting Interpreter: Unix Shell Execution

๐Ÿ›ก๏ธ Detection Rules

1 rule ยท 6 SIEM formats

1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free โ€” export to any SIEM format via the Intel Bot.

high vulnerability event-type

Exploitation Attempt โ€” D-Link

Sigma YAML โ€” free preview
โœ“ Sigma ยท Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot โ†’

Indicators of Compromise

IDTypeIndicator
CVE-2025-29635 RCE D-Link DIR-823X routers
CVE-2025-29635 Command Injection D-Link DIR-823X routers

Written by SCW Vulnerability Desk

Take action on this incident
๐Ÿ“ก Monitor dlink.com Free ยท 1 watchlist slot ยท instant alerts on new breaches ๐Ÿ” Threat intel on D-Link All breaches, IOCs & vendor exposure

Related Posts

Apple Patches iOS Notification Data Retention Flaw

Apple has issued out-of-band security updates for iOS and iPadOS, addressing a critical flaw in its Notification Services. BleepingComputer reports this vulnerability could allow notification...

threat-inteldata-breachmalwaretools
/SCW Research /MEDIUM /⚙ 3 Sigma

North Korean Hackers Net Over $12M in Q1 2026 Crypto Scams

North Korean-linked threat actors have reportedly siphoned over $12 million from cryptocurrency users during the first three months of 2026. The campaign leveraged malware deployed...

threat-inteldata-breachgovernmentmalware
/SCW Research /MEDIUM

CISA Director Nominee Sean Plankey Withdraws, Agency Faces Leadership Void

Sean Plankey, the long-standing nominee for Director of the Cybersecurity and Infrastructure Security Agency (CISA), has formally withdrawn his nomination, according to CyberScoop. After 13...

threat-intelpolicygovernmentcloud
/SCW Research /HIGH