{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/zxv10-h108l/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-29635"},{"cvss":8.8,"id":"CVE-2023-1389"}],"_cs_exploited":false,"_cs_products":["DIR-823X","ZXV10 H108L"],"_cs_severities":["critical"],"_cs_tags":["mirai","ddos","rce","iot"],"_cs_type":"advisory","_cs_vendors":["D-Link","TP-Link","ZTE"],"content_html":"\u003cp\u003eA new Mirai-based malware campaign has been observed exploiting CVE-2025-29635, a high-severity command injection vulnerability affecting D-Link DIR-823X routers. Discovered by Akamai\u0026rsquo;s SIRT in March 2026, the campaign involves attackers sending malicious POST requests to vulnerable D-Link routers to execute arbitrary commands. This vulnerability allows attackers to download and execute a shell script, ultimately leading to the deployment of Mirai-based malware. The affected D-Link routers reached end-of-life in November 2024, meaning a patch is unlikely. The same actor is also exploiting CVE-2023-1389 impacting TP-Link routers, and an RCE flaw in ZTE ZXV10 H108L routers, deploying the same Mirai payload.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on the D-Link DIR-823X router.\u003c/li\u003e\n\u003cli\u003eThe POST request exploits CVE-2025-29635 to inject and execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands change directories across writable paths on the router.\u003c/li\u003e\n\u003cli\u003eA shell script named \u003ccode\u003edlink.sh\u003c/code\u003e is downloaded from an external IP address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edlink.sh\u003c/code\u003e script is executed on the compromised router.\u003c/li\u003e\n\u003cli\u003eThe script installs a Mirai-based malware variant named \u0026ldquo;tuxnokill\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u0026ldquo;tuxnokill\u0026rdquo; establishes persistence and begins scanning for new targets.\u003c/li\u003e\n\u003cli\u003eThe compromised device is then used to launch DDoS attacks, leveraging Mirai\u0026rsquo;s standard capabilities, including TCP SYN/ACK/STOMP, UDP floods, and HTTP null attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-29635 allows attackers to remotely execute arbitrary commands on vulnerable D-Link DIR-823X routers. The compromised routers are then incorporated into the Mirai botnet, increasing its size and DDoS capabilities. Given that these routers are end-of-life, many remain unpatched, potentially leading to a large number of compromised devices. This can result in network disruptions and service outages for targeted entities, as well as potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for POST requests to the \u003ccode\u003e/goform/set_prohibiting\u003c/code\u003e endpoint on D-Link routers, as described in the Attack Chain, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Mirai dlink.sh Download\u003c/code\u003e to identify attempts to download the malicious shell script.\u003c/li\u003e\n\u003cli\u003eIf using affected D-Link DIR-823X routers, TP-Link, or ZTE ZXV10 H108L routers, upgrade to a supported device or implement network segmentation to limit potential damage.\u003c/li\u003e\n\u003cli\u003eBlock the external IP address hosting the \u003ccode\u003edlink.sh\u003c/code\u003e script if it can be reliably determined and is observed on your network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-mirai-dlink-rce/","summary":"A new Mirai-based malware campaign is exploiting CVE-2025-29635, a command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.","title":"Mirai Campaign Exploiting CVE-2025-29635 in D-Link Routers","url":"https://feed.craftedsignal.io/briefs/2026-04-mirai-dlink-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — ZXV10 H108L","version":"https://jsonfeed.org/version/1.1"}