Cybersecurity researchers have identified an active malware campaign leveraging a critical vulnerability in discontinued D-Link DIR-823X routers to expand a Mirai botnet's infrastructure. The attack exploits CVE-2025-29635, a high-severity command-injection flaw that allows remote code execution on affected devices.
The vulnerability enables threat actors to execute arbitrary commands on vulnerable routers without authentication, providing a direct pathway for botnet recruitment. D-Link DIR-823X models, which have reached end-of-life status, remain exposed to this threat as many users continue operating the legacy hardware without security updates available from the manufacturer.
Mirai botnets have historically targeted internet-connected devices with weak security postures, converting them into nodes for distributed denial-of-service attacks and other malicious activities. This latest campaign demonstrates the botnet's continued evolution and the persistent threat posed by unsupported networking equipment in residential and small business environments.
The exploitation of end-of-life router models highlights a significant challenge in the cybersecurity landscape. Once manufacturers discontinue support, devices no longer receive security patches, leaving users vulnerable indefinitely. D-Link DIR-823X owners cannot address this vulnerability through firmware updates, forcing them to choose between operating compromised hardware or replacing their equipment entirely.
Security professionals recommend users of affected routers implement network-level protections, including restricting router access to trusted networks only and disabling remote management features. Organizations should audit their network infrastructure to identify and document any legacy D-Link routers still in operation.
The discovery underscores the importance of hardware lifecycle management in security planning. Enterprise and residential users alike should prioritize replacing end-of-life networking equipment before critical vulnerabilities emerge, rather than continuing to operate devices that manufacturers no longer support with security updates.