Researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 report threat actors exploiting vulnerabilities in TBK DVRs and end-of-life TP-Link routers to deploy Mirai-like botnets, including a Nexcorium variant. The campaigns leverage CVE-2024-3721 to deliver downloaders, use brute-force Telnet and other exploits for lateral movement and persistence, and scans targeting CVE-2023-33538 have been observed against unsupported TP-Link models. #Nexcorium #TPLink
Keypoints
- Threat actors exploit CVE-2024-3721 in TBK DVRs to deploy a Mirai variant called Nexcorium.
- Nexcorium supports multiple architectures, uses XOR-encoded configs, and includes DDoS and watchdog modules.
- The malware exploits CVE-2017-17215 against Huawei HG532 devices and uses hard-coded credentials for Telnet brute-force.
- Unit 42 observed automated scans targeting CVE-2023-33538 in EoL TP-Link routers, which require web-interface authentication and are in CISAβs KEV.
- Owners of affected TP-Link models should replace unsupported devices and avoid default credentials to mitigate infection risk.
Read More: https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html