Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: iot (2 articles)Clear

New C0XMO botnet exploits DD-WRT router flaw, wipes rival malware

Fortinet has uncovered a new botnet called C0XMO, built from the long-running Gafgyt malware family, that breaks into devices by exploiting an old flaw (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. A booby-trapped network request gives the attacker code execution with no login needed. Once in, C0XMO digs in with hidden files and cron jobs that re-run it every 15 minutes, then hunts down and deletes rival botnets and even researchers' security tools to keep the device to itself. A separate scanner spreads it across many chip types (ARM, MIPS, x86, and more), and infected devices are wired up to launch 19 kinds of denial-of-service floods.

Check
Audit routers and IoT devices for DD-WRT firmware vulnerable to CVE-2021-27137, and hunt Linux hosts for hidden .sys files, 15-minute cron jobs, and modified shell profiles.
Affected
DD-WRT router firmware with the vulnerable UPnP/SSDP service (CVE-2021-27137) reachable on UDP port 1900, plus Linux and IoT devices with weak Telnet or SSH credentials.
Fix
Update DD-WRT firmware to a fixed build, disable UPnP and internet-facing Telnet/SSH, set strong unique admin credentials, and remove the malware's cron jobs and hidden payloads.

Mirai botnet exploits a year-old D-Link PoC to build fresh botnets on discontinued routers (CVE-2025-29635)

Akamai's Security Intelligence and Response Team caught a Mirai variant actively exploiting CVE-2025-29635, a command-injection flaw in discontinued D-Link DIR-823X routers, roughly one year after the vulnerability was publicly disclosed and its proof-of-concept exploit posted to GitHub (and later removed). The flaw lives in the sub_42232C function of the router firmware, where an attacker-controlled macaddr field is copied into a command buffer via snprintf and passed to system() without validation, enabling remote command execution through a crafted POST to /goform/set_prohibiting. Firmware versions 240126 and 24082 are affected. D-Link retired the DIR-823X line in 2025, so there is no vendor patch and no vendor patch coming. The Mirai variant, called 'tuxnokill' by its authors, drops from 88.214.20[.]14 via a simple shell script, supports multiple CPU architectures, uses XOR key 0x30 to obfuscate strings, and phones home to 64.89.161[.]130 on TCP port 44300. The same operator is chaining D-Link alongside CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, giving them a diverse pool of end-of-life consumer routers to enslave. At the time Akamai reported, CVE-2025-29635 was not yet on the CISA KEV catalog. The lesson: public PoCs against dead hardware do not stay dormant forever, and the 'wait for active exploitation' instinct gives attackers a year's head start.

Check
Check your external attack surface (including remote-worker home networks that terminate corporate VPNs) for any D-Link DIR-823X, TP-Link AX21, or ZTE ZXV10 H108L routers facing the internet.
Affected
D-Link DIR-823X firmware 240126 and 24082 (the entire discontinued product line is affected and will not receive a vendor patch). Also actively targeted: TP-Link AX21 routers vulnerable to CVE-2023-1389 and ZTE ZXV10 H108L devices.
Fix
Replace affected D-Link DIR-823X units with a supported model - there is no fix. For TP-Link AX21, apply the vendor firmware addressing CVE-2023-1389. Block outbound traffic to 88.214.20[.]14 and 64.89.161[.]130 at your corporate perimeter and DNS resolver, and hunt for any past connections to them in flow logs. For remote-worker environments, enforce corporate-approved home-router models or at minimum audit for end-of-life consumer hardware terminating VPN tunnels.