CVE-2025-29635: Mirai Exploits EoL D-Link Routers

A new campaign leveraging a Mirai-based malware variant is actively exploiting an End-of-Life (EoL) vulnerability, specifically CVE-2025-29635, in D-Link DIR-823X routers. This exploitation allows attackers to gain remote control over affected devices, enlisting them into a burgeoning botnet primarily for Distributed Denial of Service (DDoS) attacks. The active nature of this exploitation underscores the critical need for security professionals and device owners to address vulnerabilities in legacy hardware.

Technical Details: Mirai D-Link DIR-823X Exploitation

The campaign centers on a high-severity command-injection vulnerability identified as CVE-2025-29635, impacting D-Link DIR-823X router models. A command injection vulnerability allows an attacker to execute arbitrary commands on the host operating system via a vulnerable application. In this context, successful exploitation grants threat actors a Remote Code Execution (RCE) capability, enabling them to download and install Mirai malware onto the compromised router. This specific vulnerability is particularly concerning as the affected D-Link devices have reached their End-of-Life status, meaning they no longer receive official security patches or firmware updates, leaving them permanently exposed to this flaw and any others that may be discovered.

Mirai is a notorious malware family known for targeting Internet of Things (IoT) devices, such as routers, IP cameras, and network video recorders. Once a device is compromised, Mirai malware scans for open ports and vulnerable credentials on other devices, attempting to propagate itself further. The primary objective of a Mirai infection is to expand the botnet’s capacity, which is then used to launch large-scale DDoS attacks against various targets. These attacks can cripple online services, cause significant financial losses, and disrupt critical infrastructure. According to BleepingComputer, the current campaign demonstrates active scanning and exploitation attempts against vulnerable D-Link DIR-823X routers, highlighting the immediate threat this CVE poses.

Broader Implications of End-of-Life D-Link Router Security

The continued Mirai D-Link DIR-823X exploitation underscores a persistent challenge in cybersecurity: the risk posed by unpatched, End-of-Life hardware. These devices often remain in operation long after vendor support ceases, becoming prime targets for attackers due to their known, unfixable vulnerabilities. The expansion of Mirai botnets through such exploitation contributes to a global increase in DDoS attack capabilities, impacting service availability and operational continuity for countless organizations. The command and control (C2) infrastructure behind these botnets is resilient, making it difficult to fully dismantle them, and the TTPs (Tactics, Techniques, and Procedures) often involve simple but effective methods like exploiting well-known flaws or default credentials. Organizations and individuals must understand that retaining EoL network infrastructure introduces a direct and unmitigable risk to their security posture.

Actionable Recommendations: CVE-2025-29635 Mitigation D-Link

Given the active exploitation and the EoL status of the D-Link DIR-823X routers, immediate and decisive action is required to prevent compromise and ensure network integrity. Effective CVE-2025-29635 mitigation D-Link strategies focus primarily on device replacement and network hygiene:

• Device Replacement: The paramount recommendation is to replace all D-Link DIR-823X routers immediately. As these devices are EoL, no patch will be issued for CVE-2025-29635 or any other discovered flaw. Replacing them with actively supported, patched hardware is the only reliable way to eliminate this specific vulnerability.
• Network Segmentation: For any essential legacy devices that cannot be immediately replaced, implement stringent network segmentation. Isolate these devices on a separate network segment, behind a robust firewall, and restrict their outbound and inbound communication to only what is absolutely necessary. This limits their attack surface and potential for lateral movement if compromised.
• Strong Authentication: Ensure all network devices utilize strong, unique passwords, and disable any default credentials. While this specific vulnerability bypasses credential checks, poor authentication practices can lead to other forms of compromise.
• Monitoring and Anomaly Detection: Implement network monitoring to detect unusual outbound traffic patterns, especially connections to suspicious IP addresses or domains associated with known Mirai command and control (C2) infrastructure. Utilize a SIEM or other logging solutions to collect and analyze router logs for signs of compromise, such as unexpected command executions or process starts. A dedicated SOC team can be invaluable in identifying and responding to these IoCs promptly.
• Adopt a Zero Trust Architecture: Moving towards a Zero Trust model can significantly enhance security. This approach assumes no implicit trust and requires continuous verification for every user and device attempting to access network resources, regardless of their location.

Security professionals must actively communicate these risks to stakeholders and prioritize the deprecation of EoL hardware within their environments. Proactive management of the hardware lifecycle is essential for building a resilient defense against threats like Mirai.