Mirai Returns: Command Injection in Abandoned D-Link Routers
A Mirai-based malware campaign is actively scanning for and exploiting CVE-2025-29635, a high-severity command-injection vulnerability in D-Link DIR-823X routers. The devices are end-of-life (EoL) — D-Link will not release patches — making every exposed unit permanently vulnerable unless replaced or isolated.
Researchers identified active exploitation in the wild, with compromised routers being enrolled in a Mirai botnet infrastructure used to launch distributed denial-of-service (DDoS) attacks against downstream targets.
CVE-2025-29635: Command Injection in DIR-823X
The vulnerability resides in the router's web management interface. An unauthenticated attacker who can reach the management interface — either directly from the internet or from the local network — can inject operating system commands that execute with root privileges on the router's underlying firmware.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-29635 |
| Severity | High |
| Vulnerability Type | OS Command Injection (CWE-78) |
| Authentication Required | None (unauthenticated) |
| Access Vector | Network |
| Affected Device | D-Link DIR-823X |
| EoL Status | End of Life — no patch available |
| Active Exploitation | Confirmed |
Attack Flow
1. Attacker scans internet for exposed D-Link DIR-823X management interfaces
2. CVE-2025-29635 payload sent to vulnerable web endpoint
3. Command injected executes as root on router firmware
4. Mirai dropper downloaded and executed on the router
5. Router connects to Mirai C2 infrastructure
6. Device available for DDoS attack commands
Why End-of-Life Devices Are a Persistent Threat
D-Link officially ended support for the DIR-823X, meaning the company has confirmed it will not release security patches regardless of the severity of vulnerabilities discovered. This creates a class of permanently vulnerable devices that will remain exploitable until physically replaced.
The scale of the problem:
- Consumer routers often remain deployed for 5-10 years after purchase
- EoL status is frequently not communicated to end users
- ISPs may continue shipping or supporting EoL hardware
- Home users have no practical way to obtain patches for abandoned devices
For the Mirai campaign operators, EoL devices are ideal targets: known vulnerabilities, no patch timeline, and a large installed base of unchanged firmware.
Mirai: The Enduring Botnet Framework
Mirai is a botnet malware framework originally authored in 2016 and subsequently leaked publicly, spawning dozens of variants. It specializes in:
- Compromising IoT and embedded devices with default or weak credentials, or via known vulnerabilities
- Enlisting devices into large DDoS botnets capable of terabit-scale attacks
- Surviving device reboots via persistent infection techniques on writable flash storage
The Mirai source code leak created an ecosystem of variants — Moobot, Satori, Okiru, Nexcorium — each targeting different device families or vulnerability classes. The DIR-823X campaign represents a new Mirai variant that has added CVE-2025-29635 to its exploitation toolkit.
Recent Mirai-Related Activity in 2026
| Variant | Target | Vulnerability |
|---|---|---|
| Nexcorium | TBK DVRs | CVE-2024-3721 |
| New DIR-823X variant | D-Link DIR-823X | CVE-2025-29635 |
| Aisuru botnet | Multiple IoT | Multiple CVEs |
The targeting of EoL D-Link routers follows a well-established Mirai strategy: exploit devices where there is no vendor patch response, maximizing the time available to compromise and maintain access.
Exposure Assessment
Organizations and home users running D-Link DIR-823X routers should assume they are vulnerable. Key exposure factors:
- Internet-accessible management interface — the highest risk scenario; direct exploitation is possible
- Default or weak admin credentials — even if CVE-2025-29635 requires no credentials, many IoT botnets combine vulnerability exploitation with credential brute-force
- Firmware version — the router's EoL status means all firmware versions are affected
How to Check Your Router Model
# If you have access to the router's web UI:
# Login to http://192.168.0.1 (or your gateway IP)
# Navigate to: Status > Device Info or About
# Check the model number against the D-Link EoL list
# Alternatively, identify via ARP/device discovery
arp -a | grep -i "d8:47:32\|00:26:5a\|14:d6:4d" # Common D-Link OUI prefixesRecommended Actions
1. Replace EoL Hardware
The only permanent solution is to replace D-Link DIR-823X units with actively supported hardware from any vendor. D-Link's current supported product lines include the DIR-X series with regular security update commitments.
2. Disable Remote Management
If replacement is not immediately possible:
1. Login to router web interface
2. Navigate to: Advanced > Remote Management (or Tools > Admin)
3. Disable "Remote Management" / "WAN Access"
4. This prevents direct internet exploitation of the management interface
3. Change Default Credentials
1. Login to router web interface
2. Navigate to: Tools > Admin > Password
3. Set a strong, unique password (16+ characters)
4. Disable default admin account if alternative accounts are configured
4. Network Segmentation
- Place EoL routers behind a firewall that blocks inbound connections to the management interface
- If using as an access point only, disable routing features and use a supported router as the network gateway
- Consider VLAN isolation if the device cannot be replaced immediately
5. Monitor for Botnet Indicators
Signs that a router may already be compromised:
| Indicator | Possible Explanation |
|---|---|
| Unexplained outbound traffic spikes | DDoS attack participation |
| DNS queries to unknown domains | C2 communication |
| New firewall rules appearing | Attacker maintaining access |
| Performance degradation | CPU consumed by botnet activity |
| Management interface inaccessible | Attacker locking out the owner |
Broader Context: IoT Vulnerability Exploitation in 2026
This Mirai campaign is part of a larger trend of targeting consumer and SOHO networking equipment with known vulnerabilities:
- Operation PowerOff (April 2026) disrupted 53 DDoS-for-hire domains but highlighted the volume of IoT botnets feeding them
- DOJ IoT botnet disruption (March 2026) seized infrastructure behind 314 Tbps DDoS attacks
- Forest Blizzard / APT28 (April 2026) used compromised SOHO routers for nation-state operations
End-of-life IoT devices represent a systemic security risk because they persist in networks long after vendors abandon them, providing attackers with a stable, patchless foothold for both DDoS infrastructure and nation-state proxy networks.