Mirai variant weaponizes RCE bug in end-of-life D-Link routers

A fresh Mirai botnet campaign is hunting end-of-life D-Link routers, chaining a remote code execution flaw to conscript unpatched devices into DDoS infrastructure. Because the affected hardware sits outside the vendor’s support window, no official firmware fix is coming — owners inherit the risk by continuing to run abandoned gear on the public internet.

The exploit path follows the familiar Mirai playbook: internet-exposed management interfaces, weak or default credentials, and legacy web endpoints with unpatched memory-corruption or command-injection bugs. Once a device is taken, it pivots to scanning for further vulnerable peers, expanding the botnet’s footprint without operator interaction.

The operational takeaway is structural, not tactical. EoL consumer networking gear remains a reliable recruitment pool for DDoS operators because replacement cycles lag vulnerability disclosure by years. Organizations and ISPs with any of these models in production should treat them as compromised-by-default and retire them — patching is not on the menu.