A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.

BleepingComputer

A new campaign exploiting CVE-2025-29635, a high-severity command-injection RCE vulnerability in D-Link DIR-823X routers, is actively enlisting devices into a botnet. First detected by the security team at the company in March 2026, attackers send POST requests to a vulnerable endpoint to download and execute a shell script that installs a multi-architecture malware called 'tuxnokill,' a variant of the well-known DDoS-focused botnet. The same threat actor also exploits CVE-2023-1389 in some other router models. Since the affected D-Link routers reached end-of-life in November 2024, no patch is expected. Users are advised to replace their devices, disable remote administration, change default passwords, and monitor for configuration changes.

New Mirai campaign exploits RCE flaw in EoL D-Link routers