Mirai Botnet Targets Flaw in Discontinued D-Link Routers

The Mirai botnet, infamous for powering some of the largest DDoS attacks of the past decade, continues to evolve by targeting legacy IoT hardware. Its open‑source codebase lowers the barrier for cybercriminals, allowing even modestly skilled actors to weaponize vulnerable devices. Recent activity shows a resurgence of interest in older, unsupported routers, underscoring how botnet operators exploit the long tail of unmaintained firmware to rebuild massive attack infrastructures.

At the heart of the latest campaign is CVE‑2025‑29635, a command‑injection flaw discovered in D‑Link's DIR‑823X series. The defect allows attackers to inject arbitrary shell commands via crafted POST requests, bypassing input validation. Because the affected models were discontinued in 2025, D‑Link stopped releasing firmware updates, leaving the devices permanently exposed. Akamai’s telemetry captured exploitation attempts that download a XOR‑encoded payload with hard‑coded downloaders, a hallmark of Mirai’s modular loader. The same tactics are now being observed against TP‑Link and ZTE routers, indicating a broader, coordinated effort to harvest IoT endpoints.

For enterprises and consumers, the episode highlights the critical need for proactive device lifecycle management. Organizations should inventory all network‑edge equipment, decommission unsupported models, and replace them with devices that receive regular security updates. Vendors, meanwhile, must provide clear end‑of‑life guidance and, where feasible, offer migration paths or firmware patches for lingering installations. Network segmentation and intrusion‑detection systems tuned for anomalous outbound traffic can further mitigate the risk of a compromised router becoming a foothold for a Mirai‑style botnet.