A Mirai botnet has been observed hijacking outdated D‑Link DIR‑823X routers by exploiting a command injection flaw tracked as CVE‑2025-29635, according to research from Akamai. The vulnerability affects devices that have reached end of life and are running firmware versions 240126 or 24082, allowing attackers to execute arbitrary code with a single crafted POST request.
The flaw carries a CVSS score of 8.8 and stems from improper validation of user‑supplied input that is copied directly into a system command. A proof‑of‑concept script released on GitHub last year demonstrated the exact injection method, and the current campaign reuses that technique to compromise devices.
Once inside, the malware drops a Mirai variant dubbed “tuxnokill” from the IP address 88.214.20.14. The payload contacts a command‑and‑control server at 64.89.161.130 on port 44300 and is compiled for multiple CPU architectures. The same botnet also leverages CVE‑2023-1389 on TP‑Link Archer AX21 routers and a remote code execution flaw in ZTE ZXV10 H108L devices, showing a broad reuse of known exploits.
Activity began roughly twelve months after the public disclosure of CVE‑2025-29635, indicating a deliberate delay before weaponisation. No specific threat actor has been attributed to the attacks, but analysts note that the Mirai source code leak continues to fuel opportunistic campaigns targeting abandoned hardware.
Network administrators should first identify any D‑Link DIR‑823X units running the vulnerable firmware and either upgrade to a supported release or replace the equipment. Disabling remote administration interfaces, turning off UPnP where unnecessary, and placing IoT devices on isolated VLANs can reduce the attack surface.
Additionally, outbound connections to the observed C2 IP 64.89.161.130:44300 should be blocked at the firewall, and intrusion detection systems can be tuned to flag the characteristic shell script used to fetch the tuxnokill payload. Staying current with vendor advisories and monitoring for unusual traffic remains essential as legacy routers continue to be a attractive target for botnet operators.