Mirai Botnet Exploits D-Link Router Flaw CVE-2025-29635
Mirai botnet operators exploit CVE-2025-29635, a CVSS 8.8 command injection flaw in end-of-life D-Link DIR-823X routers, to deploy malware and launch DDoS attacks.
MITRE ATT&CK® TTPs (2)
Click any technique to view details on attack.mitre.org
Executive Summary
A new Mirai botnet campaign is actively exploiting a high-severity command injection vulnerability, CVE-2025-29635, in end-of-life D-Link DIR-823X routers. According to researchers at Fortinet's FortiGuard Labs, attackers are leveraging the flaw to execute arbitrary commands and deploy Mirai variants, conscripting the compromised devices into a distributed denial-of-service (DDoS) swarm.
Technical Analysis
The vulnerability, tracked as CVE-2025-29635, carries a CVSS score of 8.8. It is a command injection flaw in the SetNetworkTomographySettings function of the router's web management interface. As detailed by Fortinet, the flaw stems from improper neutralization of special elements used in an OS command within the Host parameter. Successful exploitation allows an unauthenticated attacker to execute arbitrary commands with root privileges on the affected device.
The exploit chain observed in the wild involves sending a malicious HTTP POST request to the vulnerable endpoint. This request contains a crafted Host parameter that injects a command to download and execute a shell script from a remote server. The script, in turn, fetches and runs the Mirai botnet binary, which is tailored for the router's MIPS architecture.
Tactics, Techniques & Procedures
The attackers' primary technique, as documented by Fortinet, is exploitation of public-facing applications (T1190). They target the vulnerable web interface of the D-Link router to gain initial access. Following successful command injection, they employ command and scripting interpreter techniques (T1059) to download and execute the malicious payload. The final objective is resource hijacking (T1496) for DDoS attacks.
Threat Actor Context
The threat actor is identified as a Mirai botnet operator. Mirai is a long-standing malware family that compromises Internet of Things (IoT) devices, primarily to build botnets for conducting DDoS attacks. The source code for Mirai has been publicly available for years, leading to numerous variants and campaigns by different criminal groups. This campaign specifically targets a known vulnerability in a widely deployed, albeit end-of-life, consumer router model.
Mitigations & Recommendations
The D-Link DIR-823X router reached end-of-life status in 2021 and no longer receives security updates from the vendor. Fortinet researchers strongly recommend that users of this model replace the hardware with a supported device. For organizations that cannot immediately replace the routers, network-level controls should be implemented. These include isolating the devices on a dedicated network segment, blocking all inbound WAN access to the router's administrative web interface, and employing intrusion prevention systems (IPS) to detect and block exploit attempts targeting CVE-2025-29635.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
