A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in D-Link DIR-823X routers. Discovered by Akamai SIRT in March 2026, this represents the first instance of in-the-wild exploitation of the flaw since its initial disclosure over a year ago. Attackers leverage POST requests to the /goform/set_prohibiting endpoint to achieve remote command execution and recruit devices into a botnet.
The campaign deploys a Mirai-variant named "tuxnokill," which is capable of various DDoS attacks including TCP and UDP floods. Because the affected D-Link devices reached end-of-life status in late 2024, no security patches are expected. Security researchers recommend that users of these legacy routers upgrade to supported hardware or disable remote administration to mitigate the threat of compromise.
Top comments (0)