HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical RCE in D‑Link DIR‑823X Routers (CVE‑2025‑29635) Fuels New Mirai Botnet Campaign

A command‑injection flaw (CVE‑2025‑29635) in end‑of‑life D‑Link DIR‑823X routers is being actively exploited by a Mirai‑derived botnet. The vulnerability enables remote code execution, allowing attackers to enlist routers into a DDoS‑capable network, posing a supply‑chain risk for organisations that still run legacy networking gear.

LiveThreat™ Intelligence · 📅 April 23, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

Critical RCE in D‑Link DIR‑823X Routers (CVE‑2025‑29635) Fuels New Mirai Botnet Campaign

What It Is – A high‑severity command‑injection (CVE‑2025‑29635) in the D‑Link DIR‑823X series allows an attacker to execute arbitrary OS commands via a crafted POST request to /goform/set_prohibiting. The flaw is being weaponised by a Mirai‑derived malware family (“tuxnokill”) to conscript vulnerable routers into a DDoS botnet.

Exploitability – Active exploitation observed in the wild since March 2026 (Akamai SIRT). PoC was briefly published on GitHub and later withdrawn. CVSS ≈ 9.8 (Critical) based on remote code execution, no authentication, and network‑accessible service.

Affected Products – D‑Link DIR‑823X routers (firmware 240126, 24082). Devices reached end‑of‑life in November 2024; no vendor‑issued patch is expected.

TPRM Impact – Legacy networking gear in a supply chain can become a launchpad for large‑scale DDoS attacks, jeopardising downstream services, SaaS providers, and hosted applications that rely on stable connectivity. The lack of vendor support amplifies risk for organisations that have not retired or segmented these devices.

Recommended Actions

  • Inventory all D‑Link routers; flag any DIR‑823X units as high‑risk.
  • Immediately replace EoL models with supported hardware or migrate to cloud‑managed WAN solutions.
  • Disable remote‑admin interfaces and change default admin credentials.
  • Deploy network‑level IDS/IPS signatures that detect the /goform/set_prohibiting POST pattern.
  • Monitor outbound traffic for unexpected script downloads (e.g., dlink.sh).

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →