Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: c0xmo (1 article)Clear

New C0XMO botnet exploits DD-WRT router flaw, wipes rival malware

Fortinet has uncovered a new botnet called C0XMO, built from the long-running Gafgyt malware family, that breaks into devices by exploiting an old flaw (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. A booby-trapped network request gives the attacker code execution with no login needed. Once in, C0XMO digs in with hidden files and cron jobs that re-run it every 15 minutes, then hunts down and deletes rival botnets and even researchers' security tools to keep the device to itself. A separate scanner spreads it across many chip types (ARM, MIPS, x86, and more), and infected devices are wired up to launch 19 kinds of denial-of-service floods.

Check
Audit routers and IoT devices for DD-WRT firmware vulnerable to CVE-2021-27137, and hunt Linux hosts for hidden .sys files, 15-minute cron jobs, and modified shell profiles.
Affected
DD-WRT router firmware with the vulnerable UPnP/SSDP service (CVE-2021-27137) reachable on UDP port 1900, plus Linux and IoT devices with weak Telnet or SSH credentials.
Fix
Update DD-WRT firmware to a fixed build, disable UPnP and internet-facing Telnet/SSH, set strong unique admin credentials, and remove the malware's cron jobs and hidden payloads.