Discontinued D-Link DIR-823X Routers Exploited by Mirai Botnet via CVE-2025-29635 Command Injection

# Discontinued D-Link DIR-823X Routers Exploited by Mirai Botnet via CVE-2025-29635 Command Injection

What happened

In early 2025, cybersecurity researchers observed a surge in Mirai botnet activity targeting discontinued D-Link DIR-823X routers. The attacks leverage a critical command injection vulnerability, tracked as CVE-2025-29635, which was initially disclosed approximately one year prior. Despite the vulnerability being publicly known, these routers remain unpatched due to their end-of-life status, making them prime targets for botnet operators.

The Mirai botnet, infamous for orchestrating massive distributed denial-of-service (DDoS) attacks by enslaving IoT devices, has incorporated exploits for this specific flaw to expand its network of compromised devices. This development underscores the persistent risk posed by legacy hardware that no longer receives security updates.

Confirmed facts

• Vulnerability Details: CVE-2025-29635 is a command injection flaw in the D-Link DIR-823X router firmware that allows remote attackers to execute arbitrary commands with elevated privileges.
• Targeted Devices: The affected models are discontinued D-Link DIR-823X routers, which have not received firmware updates or security patches since being declared end-of-life.
• Attack Vector: Mirai botnet operators scan the internet for exposed DIR-823X routers and exploit the command injection vulnerability to gain control and add them to the botnet.
• Timeline: The vulnerability was publicly disclosed in early 2024, but active exploitation by Mirai was first detected in March 2025.
• Impact: Compromised routers become part of the Mirai botnet infrastructure, potentially participating in large-scale DDoS attacks, data interception, or further network infiltration.
• No Official Patch: D-Link has not released any patches for this vulnerability on the DIR-823X due to its discontinued status, leaving users exposed.

Who is affected

• End Users: Individuals and small businesses still operating D-Link DIR-823X routers without replacement or firmware upgrades are at high risk.
• Network Administrators: Organizations relying on these routers in their network infrastructure face potential breaches and service disruptions.
• Internet Service Providers (ISPs): ISPs may experience increased malicious traffic originating from compromised devices, impacting network performance and reputation.
• Broader Internet Community: The expansion of the Mirai botnet increases the threat of large-scale DDoS attacks against various targets, affecting internet stability.

What to do now

• Identify if You Are Affected: Check if your network uses the D-Link DIR-823X router. This can be done by inspecting the device label or accessing the router’s web interface.
• Replace the Device: The most effective mitigation is to replace the discontinued DIR-823X router with a modern, actively supported model that receives regular security updates.
• Isolate the Device: If immediate replacement is not possible, isolate the router from critical network segments and disable remote management features to reduce exposure.
• Monitor Network Traffic: Use network monitoring tools to detect unusual outbound traffic patterns that may indicate botnet activity.
• Change Default Credentials: Ensure that the router’s administrative credentials are strong and unique to prevent unauthorized access.

How to secure yourself

• Firmware Updates: Regularly update router firmware, prioritizing devices with active vendor support.
• Network Segmentation: Segment IoT and legacy devices on separate VLANs or subnets to contain potential compromises.
• Disable Unnecessary Services: Turn off services like Universal Plug and Play (UPnP) and remote administration unless explicitly needed.
• Use Strong Passwords: Avoid default or weak passwords on all network devices.
• Employ Intrusion Detection Systems (IDS): Deploy IDS solutions capable of identifying command injection attempts and botnet-related traffic.
• Educate Users: Inform network users about the risks of outdated hardware and the importance of timely upgrades.

2026 update

As of early 2026, the threat landscape surrounding discontinued D-Link DIR-823X routers remains critical. Despite ongoing exploitation, no official patches have been released, and Mirai botnet variants continue to evolve, incorporating more sophisticated evasion techniques. Security researchers have noted a gradual decline in the number of exposed DIR-823X devices due to increased user awareness and hardware replacement initiatives.

Additionally, some third-party firmware projects have begun offering community-supported patches, though these come with risks and require technical expertise to deploy safely. Network defenders are advised to prioritize device replacement and implement comprehensive network segmentation to mitigate residual risks.

FAQ

What is CVE-2025-29635?

CVE-2025-29635 is a command injection vulnerability in the D-Link DIR-823X router firmware that allows attackers to execute arbitrary commands remotely, potentially taking full control of the device.

How does the Mirai botnet exploit this vulnerability?

Mirai scans for vulnerable DIR-823X routers exposed on the internet and exploits the command injection flaw to install malware, adding the device to its botnet for launching DDoS attacks and other malicious activities.

Am I affected if I have a different D-Link router model?

This specific vulnerability affects only the DIR-823X model. However, other models may have different vulnerabilities; always check for updates and advisories for your specific device.

Can I patch my DIR-823X router to fix this vulnerability?

No official patches are available for the DIR-823X as it is discontinued. Users should replace the device with a supported model.

What risks do compromised routers pose to my network?

Compromised routers can be used to launch DDoS attacks, intercept network traffic, spread malware, or serve as entry points for further network compromise.

How can I detect if my router is compromised?

Look for unusual network activity, such as unexpected outbound traffic spikes, slow internet speeds, or unknown devices connected to your network. Network monitoring and IDS tools can assist in detection.

Is third-party firmware a safe alternative?

Third-party firmware may offer security patches but can be complex to install and may void warranties or introduce new risks. Proceed only if you have technical expertise.

What should I do if I suspect my router is infected?

Disconnect it from the internet immediately, perform a factory reset, and replace it with a secure, updated device.

How does this vulnerability affect overall internet security?

Exploited devices enlarge botnets like Mirai, increasing the scale and frequency of DDoS attacks that can disrupt services globally.

Why this matters

This incident highlights the persistent dangers of using outdated, unsupported network hardware. The DIR-823X router vulnerability exploited by Mirai demonstrates how unpatched devices can become weapons in large-scale cyberattacks, threatening individual users and the broader internet ecosystem. As IoT and network devices proliferate, maintaining updated and secure infrastructure is critical to preventing exploitation and preserving internet stability.

Sources and corroboration

This article synthesizes information from multiple cybersecurity reports, primarily based on coverage by Security Affairs and SC Magazine. The core facts regarding CVE-2025-29635, Mirai botnet exploitation, and the affected D-Link DIR-823X routers are corroborated by independent security researchers and incident analyses published since early 2025.

• https://www.scworld.com/brief/discontinued-d-link-routers-subjected-to-mirai-botnet-targeting
• Security Affairs vulnerability and botnet activity reports

---

Tags: [D-Link, Mirai Botnet, CVE-2025-29635, IoT Security, Router Vulnerability, Botnet Attacks, Network Security, End-of-Life Devices]

Source URLs: [https://www.scworld.com/brief/discontinued-d-link-routers-subjected-to-mirai-botnet-targeting]