A new command injection vulnerability is being exploited in Edimax Internet of Things (IoT) devices to spread Mirai malware, according to a report by the Akamai Security Intelligence and Response Team (SIRT). The vulnerability, tracked as CVE-2025-1316, is actively being used by multiple botnets.
The Akamai SIRT discovered activity targeting Edimax IoT devices in October 2024, but further research revealed a proof of concept (PoC) exploit dating back to June 2023. “The exploit targets the /camera-cgi/admin/param.cgi endpoint in Edimax devices, and injects commands into the NTP_serverName option as part of the ipcamSource option of param.cgi,” the report states. The exploit requires authentication, but attackers are using default credentials, “typically admin:1234, which is the default credentials for Edimax devices.”
While the CVE disclosure mentions Edimax’s IC-7100 network camera, the report indicates that “the full scope of vulnerable devices and firmware goes beyond just this model,” suggesting a potentially wider impact.
Akamai SIRT’s analysis has revealed active exploitation of this vulnerability since at least May 2024, with different botnets involved. One botnet injects commands to download and execute a shell script, which in turn downloads and executes the main Mirai malware payload. This activity aligns with typical Mirai botnet behavior. The malware beacons out to a command and control (C2) domain identified as an “Unstable Mirai” variant.
Another botnet exploiting the same vulnerability has been active since at least May 2024. This botnet also uses a shell script to download and execute Mirai malware. This malware exhibits common Mirai offensive techniques, such as UDP floods and TCP SYN floods.
The report highlights the continued threat posed by Mirai malware and the ease with which botnets can be created. “The legacy of Mirai continues to plague organizations worldwide as the propagation of Mirai malware-based botnets shows no signs of stopping,” the report states. The availability of tutorials and source code, and now AI assistance, has made it easier for cybercriminals to deploy botnets.
“There are many hardware manufacturers who do not issue patches for retired devices,” the report notes, adding that the specific Edimax model targeted in this campaign is retired and will not receive further updates. In such cases, the report recommends upgrading vulnerable devices to newer models.
Related Posts:
- CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
- Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
- New Satori botnet used Huawei zero-day & 280,000 IP addresses was infected in 12 hours
- Mirai Botnet Exploits Ivanti Vulnerabilities (CVE-2023-46805 & CVE-2024-21887)
- New Mirai Botnet Variants with AI-Powered Attacks Observed
