{"id":235727,"date":"2026-04-23T02:30:34","date_gmt":"2026-04-23T07:30:34","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/04\/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers"},"modified":"2026-04-23T02:30:34","modified_gmt":"2026-04-23T07:30:34","slug":"new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/04\/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers","title":{"rendered":"New Mirai campaign exploits RCE flaw in EoL D-Link routers"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers.jpg\"><\/a><\/p>\n<p>A new Mirai-based malware campaign is actively exploiting CVE-2025\u201329635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet.<\/p>\n<p>CVE-2025\u201329635 allows an attacker to execute arbitrary commands on remote devices by sending a POST request to a vulnerable endpoint, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-29635\" target=\"_blank\" rel=\"nofollow noopener\">triggering remote command execution<\/a> (RCE).<\/p>\n<p>Akamai\u2019s SIRT, which detected the Mirai campaign in March 2026, reports that, although the flaw was first disclosed 13 months ago by security researchers Wang Jinshuai and Zhao Jiangting, this is the first time in-the-wild active exploitation has been observed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new Mirai-based malware campaign is actively exploiting CVE-2025\u201329635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet. CVE-2025\u201329635 allows an attacker to execute arbitrary commands on remote devices by sending a POST request to a vulnerable endpoint, triggering remote command execution (RCE). Akamai\u2019s SIRT, which detected the Mirai campaign [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-235727","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/235727","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=235727"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/235727\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=235727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=235727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=235727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}