Mirai Variant “tuxnokill” Exploits D‑Link DIR‑823X Router (CVE‑2025‑29635) and Other IoT Devices, Fueling Large‑Scale DDoS Botnet
What It Is – A newly observed Mirai‑derived botnet variant, dubbed tuxnokill, weaponizes a command‑injection flaw (CVE‑2025‑29635) in D‑Link DIR‑823X routers. A parallel campaign (Nexcorium) targets TP‑Link, ZTE routers and TBK DVRs, adding persistence mechanisms and a legacy Huawei exploit.
Exploitability – Public PoC for CVE‑2025‑29635 existed for over a year; attackers now use a modified exploit. Active exploitation is confirmed in the wild, with botnet nodes launching DDoS attacks. CVSS (estimated) ≈ 8.8 (High).
Affected Products – D‑Link DIR‑823X routers (CVE‑2025‑29635), TP‑Link Archer AX21 (CVE‑2023‑1389), ZTE ZXV10 H108L routers (public exploit), TBK digital video recorders (CVE‑2024‑3721), and legacy Huawei devices (CVE‑2017‑17215).
TPRM Impact – Compromised third‑party IoT assets can be conscripted into DDoS botnets, threatening service availability for downstream customers and exposing supply‑chain partners to reputational damage and regulatory scrutiny.
Recommended Actions –
- Conduct an inventory of all IoT, router, and DVR assets in the vendor ecosystem.
- Verify firmware is up‑to‑date; apply patches for CVE‑2025‑29635, CVE‑2023‑1389, CVE‑2024‑3721, and any legacy CVEs.
- Enforce network segmentation for unmanaged IoT devices.
- Deploy outbound traffic monitoring to detect abnormal DDoS‑related traffic from vendor‑owned hardware.
- Require vendors to adopt a vulnerability‑management SLA that includes rapid patch deployment for IoT firmware.
Source: Help Net Security