Beyond the Router: How the Zerobotv9 Botnet is Hijacking Enterprise Automation
Ddos 
According to a recent investigation by the Akamai Security Intelligence and Response Team (SIRT), a notorious malware family known as Zerobot has re-emerged with new tricks. This latest iteration, dubbed “Zerobotv9,” is not just going after standard home internet equipment; it is actively attacking enterprise-level workflow automation systems.
The Akamai SIRT discovered this new wave of attacks in mid-January 2026. While the hackers were indeed targeting standard hardwareβspecifically, Tenda AC1206 home routersβthey were also exploiting a vulnerability in a popular corporate software platform called n8n.
The n8n platform is essentially a digital middleman. Businesses use it to seamlessly connect their internal databases, cloud services, and everyday apps.
As the Akamai report points out, this shift in focus is a major red flag for corporate security teams: “Targeting of the n8n vulnerability is particularly interesting: Botnets typically exploit Internet of Things (IoT) devices, such as security cameras, DVRs, and routers, but n8n falls into an entirely different category.”
If a hacker takes over a home router, they might use it to launch spam traffic. But if a hacker takes over an n8n platform, they can potentially move laterally into an organization’s most sensitive internal networks, stealing API keys and manipulating critical data.
The malware are exploiting two known vulnerabilities that already have public fixes:
- The Tenda Router Flaw (CVE-2025-7544): This is a is a remote stack-based buffer overflow affecting the /goform/setMacFilterCfg endpoint in Tenda AC1206 devices on version 15.03.06.23 that was rated as critical, and can be exploited via the deviceList parameter.
- The n8n Platform Flaw (CVE-2025-68613): This bug is caused by a lack of “sandboxing.” Normally, software acts like it’s playing in a sandbox, unable to touch the rest of the computer system. Because of this flaw, attackers can break out of the sandbox and run commands directly on the main server.
Once the attackers slip through these cracks, they run a simple script (named tol.sh) that installs the main Zerobot payload.
As the report notes, “The opportunistic exploitation of recently disclosed vulnerabilities by threat actors is quite common these days. Even astute organizations that are on top of patching will often have a vulnerable window after the initial disclosure, and some orgs neglect any patching of these devices.”
At its core, Zerobot is built on the bones of Mirai, an infamous piece of malware that caused massive internet outages years ago. Despite the original creators being caught, the code for Mirai is freely available online, allowing amateur and seasoned hackers alike to create their own spin-offs.
The Akamai researchers offer a conclusion on why these attacks keep happening: “The proliferation of Mirai unfortunately continues despite some recent high-profile takedowns by law enforcement, as setting up a Mirai-based botnet can have a fairly low barrier of entry.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
