Executive Summary
In June 2026, the Terrabot botnet, an aggressive IoT malware variant derived from Mirai and Gafgyt frameworks, was observed scanning the internet for vulnerabilities to exploit and expand its network of compromised devices. The botnet targeted known vulnerabilities in legacy D-Link DSL routers (CVE-2016-20017) and Dasan GPON routers (CVE-2018-10561), attempting unauthenticated command injections. However, due to automation errors, such as empty POST request bodies and malformed payloads, many of these exploit attempts failed, highlighting the botnet's technical limitations. (isc.sans.edu)
This incident underscores the persistent threat posed by IoT botnets, even those with flawed execution, as they continue to exploit unpatched vulnerabilities in widely used devices. The rapid proliferation of such botnets emphasizes the need for robust security measures, timely patching, and vigilant monitoring to protect against automated cyber threats.
Why This Matters Now
The Terrabot botnet's activities highlight the ongoing risk of IoT devices being exploited through known vulnerabilities, emphasizing the urgency for organizations to implement comprehensive security practices and ensure timely updates to mitigate such threats.
Attack Path Analysis
The Terrabot botnet initiated its attack by scanning the internet for vulnerable IoT devices, particularly targeting legacy D-Link DSL routers and Dasan GPON routers. Upon identifying these vulnerabilities, the botnet attempted to exploit them to gain unauthorized access. Once access was achieved, the botnet aimed to escalate privileges to execute arbitrary commands on the compromised devices. Following successful exploitation, the botnet sought to propagate itself by moving laterally to other vulnerable devices within the network. To maintain control over the infected devices, the botnet established command and control channels, allowing remote management and further exploitation. Finally, the botnet could be used to launch large-scale Distributed Denial of Service (DDoS) attacks, causing significant disruption to targeted services.
Kill Chain Progression
Initial Compromise
Description
Terrabot scanned for and exploited vulnerabilities in IoT devices, such as D-Link DSL routers (CVE-2016-20017) and Dasan GPON routers (CVE-2018-10561), to gain unauthorized access.
Related CVEs
CVE-2023-1389
CVSS 8.8A command injection vulnerability in the WAN interface of TP-Link Archer AX21 routers allows remote attackers to execute arbitrary commands.
Affected Products:
TP-Link Archer AX21 – All versions prior to firmware update
Exploit Status:
exploited in the wildCVE-2024-3721
CVSS 6.3A command injection vulnerability in TBK DVRs allows remote attackers to execute arbitrary commands.
Affected Products:
TBK DVR-4104 – All versions prior to firmware update
TBK DVR-4216 – All versions prior to firmware update
Exploit Status:
exploited in the wildCVE-2024-12856
CVSS 7.2An OS command injection vulnerability in Four-Faith routers allows remote attackers to execute arbitrary commands.
Affected Products:
Four-Faith F3x24 – All versions prior to firmware update
Four-Faith F3x36 – All versions prior to firmware update
Exploit Status:
exploited in the wildCVE-2025-55182
CVSS 10A critical deserialization vulnerability in Next.js Server Actions allows unauthenticated remote code execution.
Affected Products:
Vercel Next.js – All versions prior to 12.1.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Infrastructure: Botnet
Compromise Infrastructure: Network Devices
Valid Accounts
Exploit Public-Facing Application
Resource Hijacking
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical infrastructure vulnerabilities in routers and IoT devices enable botnet infiltration, compromising network integrity and enabling lateral movement across telecommunications infrastructure.
Utilities
IoT malware targeting industrial control systems and SCADA networks threatens operational technology security, potentially disrupting critical utility services and infrastructure.
Information Technology/IT
Enterprise systems face Log4Shell exploits and fileless attacks targeting AI frameworks, requiring enhanced egress filtering and zero trust segmentation for protection.
Financial Services
Automated botnet campaigns exploit enterprise vulnerabilities while compromised devices enable command and control infrastructure, threatening financial transaction security and compliance.
Sources
- What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)https://isc.sans.edu/diary/rss/33104Verified
- RondoDox botnet fires 'exploit shotgun' at edge deviceshttps://www.theregister.com/2025/10/09/rondodox_botnet_fires_exploit_shotgun/Verified
- RondoDox Botnet Uses 50 Plus Vulnerabilities to Target Routers, CCTV Systems and Web Servershttps://cyberpress.org/rondodox-botnet/Verified
- RondoDox Botnet Takes ‘Exploit Shotgun’ Approachhttps://www.securityweek.com/rondodox-botnet-takes-exploit-shotgun-approach/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the Terrabot botnet incident as it likely limits the botnet's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command channels, and exfiltrate data, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The botnet's ability to exploit known vulnerabilities in IoT devices would likely be constrained, reducing the initial attack surface.
Control: Zero Trust Segmentation
Mitigation: The botnet's ability to escalate privileges on compromised devices would likely be limited, reducing the scope of control it could achieve.
Control: East-West Traffic Security
Mitigation: The botnet's ability to move laterally within the network would likely be constrained, limiting its propagation to other devices.
Control: Multicloud Visibility & Control
Mitigation: The botnet's ability to establish and maintain command and control channels would likely be limited, reducing its operational effectiveness.
Control: Egress Security & Policy Enforcement
Mitigation: The botnet's ability to exfiltrate data from compromised devices would likely be constrained, reducing the risk of data loss.
The botnet's capacity to leverage compromised devices for DDoS attacks would likely be reduced, minimizing service disruptions.
Impact at a Glance
Affected Business Functions
- Network Infrastructure Management
- Security Monitoring
- Data Transmission
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive network configurations and user data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust egress security and policy enforcement to prevent compromised devices from communicating with command and control servers.
- • Deploy inline intrusion prevention systems (IPS) to detect and block exploit attempts targeting known vulnerabilities.
- • Utilize zero trust segmentation to limit lateral movement within the network by enforcing strict access controls.
- • Enhance multicloud visibility and control to monitor and manage traffic across all cloud environments effectively.
- • Regularly update and patch IoT devices to mitigate known vulnerabilities and reduce the attack surface.
