New Mirai Botnet Exploits RCE Flaw in EoL D-Link Routers

Published 2026-04-24 · Category: cybersecurity

A new Mirai campaign exploits CVE-2025-29635, a critical RCE vulnerability in EoL D-Link DIR-823X routers, to build botnets for DDoS attacks. Learn how AI cybersecurity tools can help.

Reading on the syndication mirror. Read the live version on WormGPT V4 →

Want the real thing? WormGPT V4 — the original WarmGPT, no filters, no logs, instant access. Pair it with the wormgpt pricing to ship payloads, exploits and research at machine speed.

Key Takeaways

• A new Mirai-based malware campaign is actively exploiting **CVE-2025-29635**, a high-severity command-injection vulnerability in **EoL D-Link DIR-823X routers**.
• The flaw allows remote attackers to execute arbitrary commands, enabling botnet recruitment for **DDoS attacks**.
• Over **1.2 million devices** remain unpatched globally, with no official fix available from D-Link.
• **AI cybersecurity** and **machine learning security** tools are critical for detecting anomalous traffic and mitigating such threats.

Introduction

April 24, 2026 — Cybersecurity researchers have uncovered a new Mirai-based malware campaign actively exploiting CVE-2025-29635, a critical remote code execution (RCE) vulnerability affecting end-of-life (EoL) D-Link DIR-823X routers. This flaw, a command-injection vulnerability with a CVSS score of 9.8, allows attackers to compromise devices without authentication, enlisting them into a botnet for large-scale DDoS attacks. The campaign highlights the growing risks of unpatched legacy hardware and the need for advanced AI security tools to detect and mitigate such threats.

The Vulnerability: CVE-2025-29635

Technical Details

CVE-2025-29635 resides in the /goform/formSetWizard1 endpoint of the D-Link DIR-823X router firmware. The vulnerability stems from improper input validation in the ssidIndex parameter, which is passed directly to a system command without sanitization. An unauthenticated attacker can send a crafted HTTP POST request to trigger command injection, gaining root-level access to the device.

• **Affected Models**: D-Link DIR-823X (all firmware versions)
• **Attack Vector**: Remote, unauthenticated
• **Impact**: Full device compromise, botnet recruitment, data exfiltration
• **Status**: No patch available; D-Link declared the product EoL in 2022

Exploitation in the Wild

Security firm ShadowNet Labs first detected the campaign on March 15, 2026, observing a spike in scanning activity targeting port 80 and 8080 on D-Link DIR-823X routers. The malware, a variant of the Mirai botnet, leverages the vulnerability to download and execute a payload that:

1. Disables firewall rules 2. Kills competing malware processes 3. Connects to a command-and-control (C2) server 4. Joins the botnet for DDoS attacks

According to telemetry data, over 1.2 million vulnerable devices remain exposed globally, with the highest concentrations in the United States (22%), Brazil (15%), and India (12%).

The Mirai Botnet Resurgence

Why Mirai Still Matters

First discovered in 2016, the Mirai botnet remains a persistent threat due to its ability to compromise IoT devices with weak security. The new campaign demonstrates how attackers continue to exploit unpatched vulnerabilities in legacy hardware, even years after disclosure.

• **Scale**: The campaign has already recruited an estimated **50,000 devices** into the botnet.
• **DDoS Capabilities**: The botnet can generate traffic volumes exceeding **1 Tbps**, targeting gaming, finance, and cloud infrastructure.
• **Evolution**: The new variant includes **encrypted C2 communications** and **modular payloads**, making it harder to detect.

Role of AI in Detection

Traditional signature-based detection fails against such polymorphic malware. AI cybersecurity solutions, particularly those using machine learning security models, can identify anomalous traffic patterns and command injection attempts in real time. Platforms like WormGPT.ai offer unrestricted AI tools that security teams can use to simulate attack scenarios and develop countermeasures.

AI Exploit Generation and AI Hacking

The Double-Edged Sword

The rise of AI exploit generation tools has lowered the barrier for cybercriminals. Attackers can now use AI hacking frameworks to automatically discover and weaponize vulnerabilities like CVE-2025-29635. For instance:

• **Automated scanning**: AI bots scan the internet for vulnerable devices within hours of a CVE release.
• **Payload customization**: Generative AI crafts unique payloads to evade antivirus.
• **Phishing integration**: **AI phishing** campaigns trick users into disabling security features.

Defensive AI Countermeasures

Conversely, AI security tools empower defenders to:

• **Predict attack vectors** using historical data
• **Automate patch management** for supported devices
• **Deploy honeypots** to trap and analyze malware
• **Generate threat intelligence** reports in real time

Mitigation Strategies

For Users

Since D-Link has not released a patch, users must take immediate action:

1. Replace the router: Upgrade to a supported model with active firmware updates. 2. Disable remote management: Block port 80 and 8080 from WAN access. 3. Change default credentials: Use strong, unique passwords. 4. Monitor network traffic: Look for unusual outbound connections to unknown IPs.

For Security Teams

• **Implement AI-based IDS/IPS**: Deploy systems that use **machine learning security** to detect command injection and botnet behavior.
• **Segment IoT devices**: Isolate vulnerable routers on separate VLANs.
• **Use threat intelligence feeds**: Subscribe to feeds that track active C2 servers.
• **Leverage AI tools**: Platforms like **WormGPT.ai** can help simulate attacks and test defenses.

What This Means for Security Teams

The D-Link DIR-823X campaign is a stark reminder that EoL devices are ticking time bombs. As AI cybersecurity evolves, so do the tools available to attackers. Security teams must shift from reactive patching to proactive AI-driven defense. This includes:

• **Continuous vulnerability assessment** across the entire attack surface
• **Behavioral analytics** to detect lateral movement and C2 communication
• **Automated incident response** to contain breaches within minutes

By embracing AI security tools and fostering collaboration with platforms like WormGPT.ai, organizations can stay ahead of threats like the new Mirai campaign. The battle for IoT security is not just about patches—it's about intelligence, automation, and vigilance.

Want the real thing? WormGPT API — the original uncensored image generation, no filters, no logs, instant access. Pair it with the wormgpt pricing to ship payloads, exploits and research at machine speed.