:

MIRAI BOTNET EXPLOITS D-LINK ROUTER FLAW

AI DESK2 MIN READ
WED, APR 22, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability in D-Link DIR-823X routers. The end-of-life devices are being conscripted into the botnet at scale.

Security researchers have identified an active malware campaign leveraging CVE-2025-29635 against D-Link DIR-823X routers. The vulnerability allows remote code execution through command injection, enabling attackers to deploy Mirai variants and expand botnet infrastructure. D-Link DIR-823X routers reached end-of-life status years ago, meaning the manufacturer no longer provides security updates. This abandonment leaves millions of potentially vulnerable devices exposed in networks worldwide. The routers remain in use across residential and small business deployments despite their deprecated status. The CVE-2025-29635 flaw carries a CVSS score indicating high severity. Attackers exploiting the vulnerability gain unauthenticated remote code execution, providing complete device control. Once compromised, routers become nodes in the Mirai botnet, capable of participating in distributed denial-of-service attacks and other malicious operations. Mirai campaigns have historically targeted IoT devices and networking equipment with known vulnerabilities. The botnet's modular architecture allows operators to deploy various payloads and coordinate large-scale attacks. Previous Mirai campaigns have generated significant internet disruption through DDoS operations against critical infrastructure and major online services. Organizations running DIR-823X routers should consider immediate replacement with supported hardware. Network administrators can implement additional protections including: - Network segmentation isolating router management interfaces - Traffic monitoring for suspicious outbound connections - Firewall rules restricting unnecessary internet access from routers - Regular security audits of connected devices Users unable to immediately replace affected equipment should disable remote management features and restrict access to router administration interfaces. Changing default credentials and implementing strong passwords provides minimal additional protection on vulnerable systems. The exploitation of end-of-life networking equipment demonstrates the persistent security risks posed by abandoned hardware in production environments. Organizations should maintain inventories of deployed devices and establish replacement timelines aligned with manufacturer support lifecycles.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

A Cambridge study reveals that terrorist organizations including Boko Haram and ISIS are using ChatGPT, Claude, and Gemini to plan attacks and develop weapons. Safety filters designed to prevent such misuse have repeatedly failed.

6H AGOAI Desk

The Australian Cyber Security Centre has issued an alert about coordinated exploitation of vulnerable content management systems and plugins worldwide. The campaign targets organizations using outdated or unpatched CMS software.

8H AGOAI Desk

Artificial intelligence discovered a critical security vulnerability in Linux kernel code that human developers overlooked for over a decade. The bug could allow unauthorized root access to systems.

13H AGOAI Desk

Researchers have demonstrated a new attack called 'Ghostcommit' that hides prompt injections in PNG files to fool AI code reviewers and agents into exposing repository secrets.

15H AGOAI Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.