Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: d-link (3 articles)Clear

AryStinger botnet hijacks thousands of outdated D-Link routers as proxies

Researchers at XLab have documented a previously unknown botnet called AryStinger that has taken over more than 4,000 outdated routers, mostly D-Link DIR-850L and DIR-818LW models, and turned them into proxies for malicious traffic. It spreads by exploiting old, unpatched vulnerabilities and can scan networks, tunnel and proxy traffic, run commands, and tamper with DNS settings to hijack users' browsing. A more advanced Go-based variant targets NAS devices and adds internal network reconnaissance using open-source pentest tools. Infections cluster in South Korea and China but reach Sweden and Southeast Asia too. The compromised devices are end-of-life and will not receive fixes.

Check
Identify end-of-life D-Link routers and internet-exposed NAS devices on your networks, check for unexpected DNS settings, outbound proxy or tunneling traffic, and signs of remote command execution or scanning.
Affected
Outdated, end-of-life D-Link routers (notably DIR-850L and DIR-818LW) and exposed NAS devices running unpatched firmware; tampered DNS can silently hijack browsing for every device behind the router.
Fix
Replace end-of-life routers with supported models, update firmware on NAS devices, change default credentials, disable remote management and internet-exposed admin interfaces, and reset DNS settings to trusted resolvers.

CISA adds four more flaws to KEV - SimpleHelp authorization bypass (CVSS 9.9), Samsung MagicINFO, and the D-Link DIR-823X bug already powering fresh Mirai botnets

CISA added four flaws to KEV on April 24 with a May 8 federal deadline. The headline is CVE-2024-57726 (CVSS 9.9), a missing authorization in SimpleHelp RMM that lets a low-privileged technician mint API keys above their role and escalate to server admin; companion CVE-2024-57728 (CVSS 7.2) chains a path traversal for RCE. SimpleHelp featured in DragonForce and Akira ransomware campaigns last year. CVE-2024-7399 (CVSS 8.8) is a Samsung MagicINFO 9 path traversal with a public PoC since 2024. The fourth, CVE-2025-29635, is the D-Link DIR-823X bug we covered last week.

Check
Inventory exposed instances of SimpleHelp, Samsung MagicINFO 9 Server, and any remaining D-Link DIR-823X routers. SimpleHelp is the priority - it sits inside the IT trust boundary.
Affected
SimpleHelp before 5.5.8 against CVE-2024-57726 and CVE-2024-57728 (chained to RCE as the SimpleHelp server user). Samsung MagicINFO 9 Server unpatched against CVE-2024-7399. D-Link DIR-823X firmware 240126 and 24082 against CVE-2025-29635 - the product line is discontinued and no vendor patch exists.
Fix
Upgrade SimpleHelp to 5.5.8+ and rotate every API key issued by every technician account, since unprivileged techs could have minted privileged keys during the vulnerable window. Audit SimpleHelp session logs for anomalies. Patch Samsung MagicINFO and remove its internet exposure. For D-Link DIR-823X, replace the hardware - there is no fix. Treat May 8 as your own deadline.

Mirai botnet exploits a year-old D-Link PoC to build fresh botnets on discontinued routers (CVE-2025-29635)

Akamai's Security Intelligence and Response Team caught a Mirai variant actively exploiting CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers, roughly one year after the vulnerability was publicly disclosed and its proof-of-concept exploit posted to GitHub (and later removed). The flaw lives in the sub_42232C function of the router firmware, where an attacker-controlled macaddr field is copied into a command buffer via snprintf and passed to system() without validation, enabling remote command execution through a crafted POST to /goform/set_prohibiting. Firmware versions 240126 and 24082 are affected. D-Link retired the DIR-823X line in 2025, so there is no vendor patch and no vendor patch coming. The Mirai variant, called 'tuxnokill' by its authors, drops from 88.214.20[.]14 via a simple shell script, supports multiple CPU architectures, uses XOR key 0x30 to obfuscate strings, and phones home to 64.89.161[.]130 on TCP port 44300. The same operator is chaining D-Link alongside CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, giving them a diverse pool of end-of-life consumer routers to enslave. At the time Akamai reported, CVE-2025-29635 was not yet on the CISA KEV catalog. The lesson: public PoCs against dead hardware do not stay dormant forever, and the 'wait for active exploitation' instinct gives attackers a year's head start.

Check
Check your external attack surface (including remote-worker home networks that terminate corporate VPNs) for any D-Link DIR-823X, TP-Link AX21, or ZTE ZXV10 H108L routers facing the internet.
Affected
D-Link DIR-823X firmware 240126 and 24082 (the entire discontinued product line is affected and will not receive a vendor patch). Also actively targeted: TP-Link AX21 routers vulnerable to CVE-2023-1389 and ZTE ZXV10 H108L devices.
Fix
Replace affected D-Link DIR-823X units with a supported model - there is no fix. For TP-Link AX21, apply the vendor firmware addressing CVE-2023-1389. Block outbound traffic to 88.214.20[.]14 and 64.89.161[.]130 at your corporate perimeter and DNS resolver, and hunt for any past connections to them in flow logs. For remote-worker environments, enforce corporate-approved home-router models or at minimum audit for end-of-life consumer hardware terminating VPN tunnels.