Zerobot Malware Exploits Tenda Command Injection Vulnerabilities to Deploy Malicious Payloads

The resurgence of Mirai‑style botnets underscores how legacy IoT vulnerabilities remain fertile ground for attackers. By chaining a router buffer overflow with a workflow‑engine RCE, Zerobot bridges the gap between consumer‑grade devices and enterprise‑grade automation tools. This hybrid approach not only multiplies the number of compromised endpoints but also gives threat actors a stealthier foothold inside corporate networks, where n8n instances often integrate with critical APIs and data pipelines.

Technical analysis reveals why the exploits are so effective. CVE‑2025‑7544’s stack‑based overflow can be triggered with a single oversized GET request, requiring no authentication and offering immediate code execution on Tenda AC1206 firmware. Meanwhile, CVE‑2025‑68613 abuses insufficient sandboxing in n8n’s expression engine, allowing a low‑privilege user to inject OS commands. Both vectors feed the same downloader script (tol.sh), which redundantly pulls the UPX‑packed Zerobotv9 binary for dozens of CPU architectures, ensuring the bot can survive on anything from low‑end routers to x86 servers.

Defenders must adopt a layered response. Immediate steps include identifying exposed Tenda devices, applying vendor patches or isolating them from the internet, and upgrading n8n to the patched releases. Network monitoring should flag outbound traffic to the known C2 domain (0bot.qzz.io) and anomalous use of file‑transfer utilities from non‑standard hosts. As botnets continue to diversify their infection vectors, organizations should treat automation platforms with the same rigor as traditional IoT assets, integrating them into broader vulnerability‑management and threat‑intel programs.