A new wave of cyberattacks has surfaced, with a Mirai-based botnet exploiting a number of significant vulnerabilities in routers and smart devices, primarily targeting industrial and home networks worldwide.
The Shadowserver Foundation recently shared on X the botnet’s active exploitation of several vulnerabilities, including CVE-2024-41473 (Tenda), CVE-2024-12987 (Draytek), CVE-2024-9916 (HuangDou UTCMS V9), Four-Faith CVE-2024-9644 and multiple vulnerabilities in Totolink devices (CVE-2024-2353, CVE-2024-24328, CVE-2024-24329).
A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs. Includes:
— The Shadowserver Foundation (@Shadowserver) February 12, 2025
– Tenda CVE-2024-41473
– Draytek CVE-2024-12987
– HuangDou UTCMS V9 CVE-2024-9916
– Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329
– (likely) Four-Faith CVE-2024-9644
The botnet leverages both zero-day and n-day vulnerabilities to infiltrate internet-exposed routers and other IoT devices. Key vulnerabilities include:
CVE-2024-41473 is a high-severity command injection vulnerability in the Tenda FH1201 router, specifically affecting firmware version 1.2.0.14.
The flaw resides in the mac parameter of the endpoint /ip/goform/WriteFacMac, which fails to properly neutralize special characters in OS commands.
This allows attackers to inject arbitrary commands, gaining unauthorized control over the router.
The vulnerability has a CVSS v3.1 score of 8.0, indicating high severity due to its potential to compromise confidentiality, integrity, and availability.
This vulnerability affects DrayTek Vigor2960 and Vigor300B routers running firmware version 1.5.1.4. It is classified as a command injection flaw in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint of the web management interface.
Attackers can manipulate the session argument to execute arbitrary OS commands remotely without authentication.
The vulnerability has a CVSS v3.x score of 7.3 (high severity), with public exploits available, making it an attractive target for attackers.
CVE-2024-9916 is a critical OS command injection vulnerability in HuangDou UTCMS V9 software, specifically in the file app/modules/ut-cac/admin/cli.php.
This vulnerability has a CVSS v3.x score of 7.3 and poses significant risks to system integrity and availability despite its moderate impact on confidentiality.
The flaw arises from improper input validation of the o parameter, allowing remote attackers to execute arbitrary commands without authentication or user interaction.
This vulnerability affects Four-Faith F3x36 routers running firmware version 2.0.0 and involves an authentication bypass in the bapply.cgi endpoint of the administrative web server.
Unlike its counterpart apply.cgi, which enforces authentication, bapply.cgi allows unauthorized access to critical router settings.
Attackers can exploit this flaw to modify configurations or chain it with other vulnerabilities for broader system compromise.
These vulnerabilities affect Totolink routers and involve stack-based buffer overflows in their HTTP request-handling mechanisms.
Exploitation allows attackers to trigger denial-of-service conditions or execute arbitrary code with elevated privileges remotely.
These flaws are particularly concerning because they can be leveraged for large-scale botnet operations like Mirai.
The Mirai botnet has evolved significantly since its initial discovery. It now incorporates advanced features such as:
(DDoS) attacks exceeding 100 Gbps, disrupting services even on robust infrastructures.
The botnet’s primary goal is financial gain through DDoS-for-hire services. It currently operates with approximately 15,000 active nodes daily, targeting entities in countries such as China, Russia, the United States, Turkey, and Iran.
To protect against these attacks, cybersecurity experts recommend the following steps:
The resurgence of Mirai underscores the persistent threat posed by IoT botnets exploiting unpatched vulnerabilities.
Organizations must prioritize threat intelligence sharing and adopt robust security frameworks to mitigate risks associated with evolving malware campaigns like Mirai.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free