Overview
- Akamai’s incident team, which detected the campaign in March 2026, confirms active exploitation of CVE-2025-29635 against DIR-823X routers.
- The bug lets attackers run commands by sending a crafted POST request to the /goform/set_prohibiting endpoint on firmware versions 240126 and 24082.
- The intrusions download a script that installs a Mirai variant called tuxnokill from 88.214.20.14 and then connect to a hardcoded command server at 64.89.161.130:44300.
- The attack pattern mirrors a proof-of-concept that researchers posted on GitHub after disclosure and later removed.
- The same actor also targets TP-Link AX21 and ZTE ZXV10 H108L router flaws, widening risk for home and small-office networks that rely on older hardware.