A newly identified Mirai botnet variant called Nexcorium is actively exploiting security vulnerabilities in digital video recorders and networking equipment to build a sprawling infrastructure for distributed denial-of-service attacks. Security researchers have documented the malware's ability to compromise TBK DVR devices through a critical flaw that allows remote attackers to inject and execute arbitrary commands.
The primary vulnerability being weaponized is CVE-2024-3721, a medium-severity command injection flaw affecting TBK DVR systems. With a CVSS severity score of 6.3, the vulnerability provides attackers with a direct pathway to gain control of vulnerable devices. Once compromised, these recorders become nodes in the Nexcorium botnet, capable of participating in coordinated DDoS attacks against targeted networks and services.
The campaign extends beyond DVR systems to include end-of-life TP-Link Wi-Fi routers, which are similarly vulnerable to exploitation. The targeting of outdated networking equipment highlights a persistent challenge in IoT security: older devices no longer receiving security updates remain attractive targets for botnet operators seeking to expand their attack infrastructure.
The discoveries come from threat intelligence teams at two major security firms who have been monitoring the Nexcorium variant's propagation and attack patterns. Their analysis reveals the botnet's ability to spread rapidly across networks containing unpatched devices, particularly in environments where legacy equipment remains in active use without regular security maintenance.
Organizations relying on TBK DVR systems are being urged to assess their exposure and apply available security patches. For businesses still operating end-of-life TP-Link routers, migration to supported hardware with active security updates is strongly recommended. The emergence of Nexcorium underscores the ongoing threat posed by Mirai variants and similar malware families that continue evolving to exploit new vulnerabilities in consumer and business-grade networking devices. Administrators should prioritize vulnerability scanning and patch management across their entire device inventory to prevent unauthorized botnet enrollment.