Executive Summary
In June 2026, the AryStinger botnet compromised over 4,000 outdated D-Link routers worldwide, transforming them into proxies for malicious activities. The malware exploited known vulnerabilities, including CVE-2013-3307, CVE-2016-5681, and CVE-2025-11837, primarily targeting D-Link DIR-850L and DIR-818LW models. Infected devices were utilized for scanning, proxying, tunneling, and command execution, with the capability to tamper with DNS settings and monitor network traffic. The majority of infections were reported in South Korea (48.5%), China (31.8%), Sweden (6.4%), Malaysia (3.5%), and Singapore (2.5%).
This incident underscores the critical need for organizations to replace end-of-life hardware and apply the latest firmware updates to mitigate risks associated with outdated devices. The AryStinger botnet's exploitation of legacy vulnerabilities highlights the ongoing threat posed by unpatched systems in the cybersecurity landscape.
Why This Matters Now
The AryStinger botnet's exploitation of outdated D-Link routers emphasizes the urgent need for organizations to replace end-of-life hardware and apply the latest firmware updates to mitigate risks associated with unpatched systems.
Attack Path Analysis
The AryStinger botnet exploited known vulnerabilities in outdated D-Link routers to gain initial access, escalated privileges to execute arbitrary code, moved laterally to compromise additional devices, established command and control channels, exfiltrated sensitive data, and caused significant operational disruptions.
Kill Chain Progression
Initial Compromise
Description
AryStinger exploited known vulnerabilities in outdated D-Link routers, such as CVE-2013-3307 and CVE-2016-5681, to gain unauthorized access.
Related CVEs
CVE-2025-29635
CVSS 7.2A command injection vulnerability in D-Link DIR-823X routers allows remote attackers to execute arbitrary commands via crafted POST requests.
Affected Products:
D-Link DIR-823X – 240126, 24082
Exploit Status:
exploited in the wildReferences:
https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/https://www.securityweek.com/mirai-botnet-targets-flaw-in-discontinued-d-link-routers/https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.htmlCVE-2025-14528
CVSS 7.5A vulnerability in D-Link routers allows attackers to read the admin account and password from the local filesystem, enabling further compromise.
Affected Products:
D-Link Multiple Routers – Various
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Application Layer Protocol
Proxy
Network Service Scanning
Valid Accounts
Data Manipulation
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
AryStinger botnet compromising 4,000+ D-Link routers creates critical infrastructure vulnerabilities enabling DNS hijacking, traffic monitoring, and distributed attack launching capabilities.
Internet
Router botnet enables malicious traffic proxying, DNS tampering, and network reconnaissance affecting internet service providers and web-based business operations globally.
Information Technology/IT
Legacy router exploitation through CVE vulnerabilities demonstrates critical need for network segmentation, encrypted traffic controls, and zero trust architecture implementations.
Computer/Network Security
Distributed botnet infrastructure highlights detection gaps requiring enhanced threat monitoring, anomaly response, and egress security policy enforcement across enterprise networks.
Sources
- AryStinger botnet infected thousands of D-Link routers worldwidehttps://www.bleepingcomputer.com/news/security/arystinger-botnet-infected-thousands-of-d-link-routers-worldwide/Verified
- New Mirai campaign exploits RCE flaw in EoL D-Link routershttps://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/Verified
- Mirai Botnet Targets Flaw in Discontinued D-Link Routershttps://www.securityweek.com/mirai-botnet-targets-flaw-in-discontinued-d-link-routers/Verified
- CVE-2025-14528: Watch next week's botnet being built on D-Link routershttps://www.crowdsec.net/vulntracking-report/cve-2025-14528Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the AryStinger botnet incident as it could have significantly limited the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and cause operational disruptions.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit known vulnerabilities in outdated routers would likely be constrained, reducing the likelihood of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges on compromised devices would likely be constrained, reducing the potential for further exploitation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the spread of the botnet.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing the effectiveness of remote control over compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data loss.
The attacker's ability to cause operational disruptions would likely be constrained, reducing the overall impact on network operations.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Integrity
- User Privacy
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive user data, including credentials and personal information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Ensure Multicloud Visibility & Control to detect anomalous activities across environments.
- • Regularly update and patch all network devices to mitigate known vulnerabilities.
