A Mirai botnet is targeting discontinued D-Link routers impacted by a command injection vulnerability disclosed a year ago, according to Akamai. Tracked as CVE-2025-29635, the security defect exists because an attacker-controllable function value is copied without validation and can be exploited through crafted POST requests. The observed exploitation attempts target the same code and trigger the same system call as a PoC exploit published last year on GitHub, which has since been removed.
As part of the observed execution path, a shell script is loaded to download and run a payload that exhibits several Mirai characteristics, including XOR encoding, a hardcoded console execution string, and a hardcoded downloader IP. The issue affects D-Link DIR-823X series router firmware versions 240126 and 24082; these devices were discontinued last year and no longer receive software updates from the vendor, with D-Link stressing that the product should be retired. Akamai notes that the threat actors have also been observed targeting TP-Link and ZTE router vulnerabilities.