A Mirai botnet is actively exploiting a command injection flaw, tracked as CVE-2025-29635, in discontinued D-Link DIR-823X series routers, according to Akamai. The vulnerability allows attackers to inject commands because an attacker-controlled value is copied without proper validation, affecting firmware versions 240126 and 24082. Exploitation began about a year after the public disclosure and PoC release, using crafted POST requests to compromise devices.
A simple shell script drops a Mirai variant (“tuxnokill”) from 88.214.20[.]14, with the payload contacting a C2 at 64.89.161[.]130:44300 and supporting multiple architectures. The actor also exploits CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, with the report noting that Mirai campaigns persist as attackers reuse leaked code.
Akamai SIRT documented the activity in March 2026, and the notice includes IoCs and Yara rules for malware samples, urging organisations to patch and safeguard vulnerable, retired devices.