CVE-2025-29635: Mirai finds its target in abandoned D-Link routers

More than a year ago security researchers published a failure in certain D-Link routers that has now started to be actively exploited by a Mirai-based botnet. The defect, identified as CVE-2025-29635, allows the execution of remote commands by a POST request addressed to a specific endpoint of the device, and according to the Akamai (SIRT) security response team that weakness has been used since March 2026 to incorporate equipment into a malicious network.

The technique observed by Akamai is not sophisticated in its approach: attackers send requests that exploit vulnerability to move through routes where the system has writing permits, download a script calleddlink.shfrom a remote server and run it, which results in the installation of a malicious binary. That binary, baptized by analysts like "tuxnokill", is a Mirai adaptation prepared to operate in several CPU architectures, and retains the classic catalogue of distributed service denial attacks (DDoS) associated with Mirai - TCP syncrones, UDP amplifications, and HTTP floods variants.

The technical description of the failure makes the vector clear: a POST request to the resource / goform / set _ prohibiting that invokes a vulnerable function and allows you to inject and execute commands on the affected computer. The public entry of vulnerability into the national vulnerability database is available to see the technical details and history of the CVE allocation: NVD - CVE-2025-29635. Akamai's report, which documents the campaign and shows the signals collected in its honeypots network, is available here: Akamai SIRT - campaign analysis.

One relevant fact in this incident is that the vulnerability was made known by researchers Wang Jinshuai and Zhao Jiangting more than a year ago and there was a proof of concept briefly published in GitHub, which the authors subsequently withdrew. However, mass exploitation in real environments had not been documented until the recent observations of Akamai.

The campaign leaders have not been limited to this single objective. The same patterns of attack detected by Akamai also appeared in attempts to exploit different failures, such as CVE-2023-1389 which affects certain TP-Link routers and a remote running vulnerability in ZTE ZXV10 H108L routers, and in all cases the outcome was the deployment of a Mirai-type load.

The context increases the risk: the DIR-823X models affected by CVE-2025-29635 reached the end of their life in November 2024, according to the D-Link itself, which reduces the options for receiving an official patch. D-Link has made it clear in its policies that it does not usually issue support exceptions for EoL equipment, so millions of users with old hardware may not have an update available; the end-of-support notification is published on the company site: D-Link - end of life announcement.

This incident recalls why IoT-based botnets remain a persistent threat: unupdated firmware devices, default passwords and Internet-accessible management services offer an attractive and stable attack surface. Mirai, in its different reincarnations, has shown that it can reappear with variants capable of being compiled for different chips and embedded operating systems, multiplying the risk in domestic environments and EMS.

If you have one of these nearby routers or equipment in antiquity, the most effective defensive measures are to replace the equipment with one that still receives support and security updates. As long as replacement is not possible, it is appropriate to minimize exposure: disable remote administration if it is not necessary, changing administrative credentials for robust and unique passwords, and monitoring abnormal behaviors such as unexpected rebeginnings, outgoing connections to unknown PIs or changes in configuration that you have not made.

In addition, for security managers and equipment it is recommended to review the records, block known operating attempts on the perimeter and use traffic inspection to detect scripts that attempt to persist on routes with writing permits. Public intelligence about these campaigns - such as Akamai's - and the description of the CVE help to adjust detection and blocking rules in firewalls and intrusion prevention systems.

The good news is that the security community has documentation and analysis to identify and mitigate such threats; the bad news is that the unsupported device park will remain an exploitable vector as long as there are connected equipment without maintenance. To understand the historical and technical scope of Mirai, reference pieces describing the evolution of this malicious ecosystem, such as Brian Krebs' analysis of the Mirai botnet and its large-scale consequences, can be consulted: KrebsOnSecurity - The Mirai Botnet.

In short, CVE-2025-29635 has become the gateway for an active campaign that installs a variant of Mirai in D-Link routers that no longer receive support. The safest solution is to replace the equipment with an updated one. and as complementary measures it is necessary to reduce the attack surface and monitor the behaviour of the network to detect signs of commitment as soon as possible.