The Mirai botnet is actively exploiting a command injection vulnerability (CVE-2025-29635, CVSS 8.8) in discontinued D-Link DIR-823X routers to download and execute a variant of the malware. Affected firmware versions are 240126 and 240802, and as these routers are end-of-life, no official patch is available; they should be immediately decommissioned and replaced. The article also notes that Mirai is concurrently exploiting other known vulnerabilities in TP-Link and ZTE routers, highlighting the need to remediate all disclosed flaws promptly.
Vulnerability Management , IoT , Network Security , Threat Intelligence Discontinued D-Link routers subjected to Mirai botnet targeting April 23, 2026 Share By SC Staff Security Affairs reports that vulnerable end-of-life D-Link DIR-823X routers impacted by the command injection flaw, tracked as CVE-2025-29635, have been targeted by Mirai botnet intrusions since early March, or about a year after the security issue was initially disclosed. Abuse of the vulnerability in affected D-Link routers, which were discontinued last year, enabled the loading of a shell script that retrieved the Mirai variant "tuxnokill" that leveraged XOR encoding while featuring typical Mirai strings, an analysis from the Akamai Security Intelligence and Response Team showed. Mirai was also observed to have harnessed the TP-Link AX21 bug, tracked as CVE-2023-1389, and another remote code execution issue impacting ZTE ZXV10 H108L routers. "Many threat actors in the botnet space frequently target older vulnerabilities. Especially when public PoC exploits exist for these vulnerabilities, attackers can easily incorporate them into their exploitation vectors," said Akamai researchers, who called on organizations to promptly remediate disclosed security flaws. An In-Depth Guide to Network Security Get essential knowledge and practical strategies to fortify your network security. Learn More SC Staff Related Vulnerability Management Actively exploited SharePoint spoofing bug continues to threaten over 1,300 instances SC Staff April 23, 2026 More than 1,300 internet-exposed Microsoft SharePoint servers remain vulnerable to ongoing intrusions weaponizing the zero-day spoofing flaw, tracked as CVE-2026-32201, while fewer than 200 online SharePoint instances have been fixed since last week's Patch Tuesday release, BleepingComputer reports. Vulnerability Management Microsoft patches critical ASP.NET Core privilege escalation vulnerability SC Staff April 23, 2026 The vulnerability stems from a regression in specific versions of the Microsoft.AspNetCore.DataProtection NuGet packages. Data Security Apple patches iPhone notification bug after reports of deleted data recovery SC Staff April 23, 2026 The vulnerability, identified as CVE-2026-28950, was patched on April 22, 2026, in iOS 26.4.2 and iPadOS 26.4.2, as well as in iOS 18.7.8 and iPadOS 18.7.8. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms ACK Piggybacking Account Harvesting DNS Spoofing Distributed Scans Domain Domain Name Drive-by Download Google Hacking Hybrid Attack Reconnaissance You can skip this ad in 5 seconds