A Mirai-based botnet campaign is actively exploiting CVE-2025-29635 in D-Link DIR-823X routers to execute commands via a POST to /goform/set_prohibiting and enlist devices. Akamai SIRT observed the activity in March 2026 and found attackers download and run a multi-architecture Mirai variant called “tuxnokill,” while affected models reached end-of-life in November 2024, making vendor fixes unlikely. #CVE-2025-29635 #tuxnokill
Keypoints
- A Mirai-based campaign exploits CVE-2025-29635 in D-Link DIR-823X routers to achieve remote command execution.
- Akamai SIRT detected active exploitation in early March 2026 using global honeypots.
- Attackers send POST requests to /goform/set_prohibiting to download and execute a shell script (dlink.sh) that installs a Mirai payload.
- The deployed payload, “tuxnokill,” is a multi-architecture Mirai variant capable of TCP/UDP and HTTP DDoS attacks.
- Impacted routers reached EoL in November 2024; users should upgrade hardware, disable remote administration, change default admin passwords, and monitor for configuration changes.