MIRAI BOTNET EXPLOITS D-LINK ROUTER FLAW
AI DESK■ 2 MIN READ
WED, APR 22, 2026■ AI-SUMMARIZED FROM 1 SOURCE BELOW
A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in D-Link DIR-823X routers. The end-of-life devices are being conscripted into the botnet at scale.
Security researchers have identified an active malware campaign leveraging CVE-2025-29635 against D-Link DIR-823X routers. The vulnerability allows remote code execution through command injection, enabling attackers to deploy Mirai variants and expand botnet infrastructure.
D-Link DIR-823X routers reached end-of-life status years ago, meaning the manufacturer no longer provides security updates. This abandonment leaves millions of potentially vulnerable devices exposed in networks worldwide. The routers remain in use across residential and small business deployments despite their deprecated status.
The CVE-2025-29635 flaw carries a CVSS score indicating high severity. Attackers exploiting the vulnerability gain unauthenticated remote code execution, providing complete device control. Once compromised, routers become nodes in the Mirai botnet, capable of participating in distributed denial-of-service attacks and other malicious operations.
Mirai campaigns have historically targeted IoT devices and networking equipment with known vulnerabilities. The botnet's modular architecture allows operators to deploy various payloads and coordinate large-scale attacks. Previous Mirai campaigns have generated significant internet disruption through DDoS operations against critical infrastructure and major online services.
Organizations running DIR-823X routers should consider immediate replacement with supported hardware. Network administrators can implement additional protections including:
- Network segmentation isolating router management interfaces
- Traffic monitoring for suspicious outbound connections
- Firewall rules restricting unnecessary internet access from routers
- Regular security audits of connected devices
Users unable to immediately replace affected equipment should disable remote management features and restrict access to router administration interfaces. Changing default credentials and implementing strong passwords provides minimal additional protection on vulnerable systems.
The exploitation of end-of-life networking equipment demonstrates the persistent security risks posed by abandoned hardware in production environments. Organizations should maintain inventories of deployed devices and establish replacement timelines aligned with manufacturer support lifecycles.
■ MORE FROM THE SECURITY DESK
Artificial intelligence tools have enabled a surge in synthetic child sexual abuse material, forcing investigators to spend critical resources sorting fake images from real cases of endangered children.
1H AGO— AI Desk
France's government agency responsible for issuing national IDs, passports, and related documents confirmed a data breach exposing citizens' personal information. The agency has not disclosed the number of affected individuals.
1H AGO— Security Desk
Researchers at Fingerprint discovered a Firefox vulnerability that creates a persistent identifier linking separate Tor browser identities, undermining the privacy protections users expect from Tor.
2H AGO— Industry Desk
Apple released iOS 26.4.2 to fix a security flaw that allowed law enforcement agencies, including the FBI, to access deleted push notifications on iPhones and iPads. The vulnerability bypassed Apple's 2023 policy requiring court orders for notification data access.
2H AGO— Security Desk