A new Mirai botnet variant exploits CVE-2025-29635 (CVSS 8.8), a remote code execution vulnerability, to compromise end-of-life D-Link DIR-823X routers via malicious HTTP requests. The NVD lists affected versions as DIR-823X firmware versions 240126 and 240802, and as these devices are unsupported, no vendor patch is available. The only remediation is to replace all end-of-life routers, disable remote management, and change default credentials.
Home Services Open/Close Dropdown Menu Publications Resources About us Subscription Security Bulletin Open/Close Dropdown Menu Incident Reporting Cybersecurity Services Providers Connect Programme Training and Events Security News Botnet Alert - Mirai Botnet Targets End-of-Life D-Link Routers Release Date: 23 Apr 2026 50 Views Type: Botnet Botnet Alert Current Status and Related Trends HKCERT has recently noted reports indicating that a new variant of the Mirai botnet is exploiting vulnerabilities (CVE-2025-29635) to attack D-Link DIR-823X routers that have reached end-of-life and are no longer supported. The vulnerability is a remote arbitrary code execution flaw, which attackers can exploit by sending requests to specific endpoints to execute arbitrary system commands. According to observations from cybersecurity companies, attackers download and execute a malicious script named dlink.sh on targeted devices, thereby installing a Mirai variant called "tuxnokill". This variant supports multiple system architectures and retains the common DDoS attack capabilities of Mirai. Infected devices may later be used to launch DDoS attacks or perform other malicious activities. It is noteworthy that attackers are not only targeting D-Link routers, but are also exploiting other vulnerabilities to attack end-of-life routers from brands such as TP-Link and ZTE, which lack security updates. This indicates that attackers are broadly scanning and compromising various unsupported devices. Since the affected routers are no longer supported, vendors may not release patches. Users who continue to use these devices face a high risk of infection and intrusion. Additionally, HKCERT data shows that Mirai and its variants remain actively spreading in Hong Kong in recent times. HKCERT recommends users take the following measures to reduce the risk of botnet infection and exploitation: Replace all end-of-life devices; Regularly check and update device firmware to the latest version; Disable unnecessary remote management functions; Change default administrator passwords and use strong passwords; Monitor device settings and network traffic for abnormal changes or unknown connections. Related Tags Botnet Share with Share on facebook Share on LinkedIn Share on twitter Share via WhatsApp Copy this url to clipboard Share via Email Related Link New Mirai campaign exploits RCE flaw in EoL D-Link routers 23 Apr 2026 | 40 Views Botnet