Do Son 
The Akamai Security Intelligence and Response Team (SIRT) has issued a warning regarding a surge in malicious activity targeting end-of-life networking hardware. According to a new report, threat actors are actively weaponizing a year-old command injection vulnerability to draft retired D-Link routers into the ranks of the notorious Mirai botnet.
The SIRT first identified this activity within their global network of honeypots in early March 2026, marking the “first reported active exploitation of these vulnerabilities since their initial disclosures in March 2025”.
The campaign specifically focuses on CVE-2025-29635, a command injection vulnerability impacting D-Link DIR-823X series routers running firmware versions 240126 and 24082. While these devices were popular in home and small office environments, they were officially discontinued by the vendor in September 2025.
The vulnerability allows an authorized attacker to execute arbitrary commands on remote devices by sending a specialized POST request to a vulnerable endpoint. As the report explains: “This vulnerability exists in D-Link DIR-823X series routers… and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint… which can trigger remote command execution.”
Once the command is executed, the router is infected with a Mirai variant, becoming a zombie node capable of participating in massive Distributed Denial of Service (DDoS) attacks.
Researchers noted that the barrier to entry for these attacks is lower than ever. Many threat actors frequently target older vulnerabilities because “public PoC exploits exist for these vulnerabilities, [and] attackers can easily incorporate them into their exploitation vectors”.
Furthermore, the report touched on the growing influence of Artificial Intelligence in the threat landscape. While some attackers may claim to be against AI, others view it as a force multiplier. The SIRT notes that the potential of AI is there for both sides, “whether that is helping them code malware, or identify new vulnerabilities to exploit”.
Many organizations continue to use vulnerable, retired devices or fail to apply patches in a timely manner.
To ensure operational security, Akamai SIRT highly recommends that organizations:
- Monitor Disclosures: Regularly track vulnerability disclosures relevant to their specific infrastructure.
- Retire Old Hardware: Replace devices that have reached end-of-life (EOL) status, as they no longer receive critical security updates.
- Apply Safeguards: Ensure that even legacy devices are protected by proper patches and network-level safeguards.
As the report concludes, “Mirai malware campaigns continue to plague the industry, with much of the original source code continuing to be re-used by various threat actors”. Vigilance and proactive hardware lifecycle management remain the best defenses against these persistent botnet threats.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
