Critical RCE in D‑Link DIR‑823X Routers (CVE‑2025‑29635) Fuels New Mirai Botnet Campaign
What It Is – A high‑severity command‑injection (CVE‑2025‑29635) in the D‑Link DIR‑823X series allows an attacker to execute arbitrary OS commands via a crafted POST request to /goform/set_prohibiting. The flaw is being weaponised by a Mirai‑derived malware family (“tuxnokill”) to conscript vulnerable routers into a DDoS botnet.
Exploitability – Active exploitation observed in the wild since March 2026 (Akamai SIRT). PoC was briefly published on GitHub and later withdrawn. CVSS ≈ 9.8 (Critical) based on remote code execution, no authentication, and network‑accessible service.
Affected Products – D‑Link DIR‑823X routers (firmware 240126, 24082). Devices reached end‑of‑life in November 2024; no vendor‑issued patch is expected.
TPRM Impact – Legacy networking gear in a supply chain can become a launchpad for large‑scale DDoS attacks, jeopardising downstream services, SaaS providers, and hosted applications that rely on stable connectivity. The lack of vendor support amplifies risk for organisations that have not retired or segmented these devices.
Recommended Actions –
- Inventory all D‑Link routers; flag any DIR‑823X units as high‑risk.
- Immediately replace EoL models with supported hardware or migrate to cloud‑managed WAN solutions.
- Disable remote‑admin interfaces and change default admin credentials.
- Deploy network‑level IDS/IPS signatures that detect the
/goform/set_prohibitingPOST pattern. - Monitor outbound traffic for unexpected script downloads (e.g.,
dlink.sh).
Source: BleepingComputer