Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.
Recommended read:
References :
- securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
- www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
- The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
- www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
- www.scworld.com: Edimax IP camera zero-day
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months.
CISO2CISO Editor 2@ciso2ciso.com
//
Cloudflare successfully mitigated a record-breaking 5.6 Tbps Distributed Denial of Service (DDoS) attack on October 29, 2024. The attack, launched by a Mirai-variant botnet, targeted an internet service provider (ISP) in East Asia. The botnet comprised of 13,000 compromised IoT devices flooding the target with malicious data, which aimed to cripple the ISP’s operations.
The attack lasted only 80 seconds, but Cloudflare's autonomous defence systems promptly identified and mitigated the anomalous traffic without human intervention, intercepting and neutralizing the malicious data at Cloudflare's edge nodes. Each IP address within the botnet generated an average traffic of approximately 4 Gbps. The successful defense highlights the escalating sophistication and scale of DDoS threats, with hyper-volumetric attacks exceeding 1 Tbps dramatically increasing. This incident underscores the importance of robust DDoS mitigation strategies and the need for continuous evolution in network security.
Recommended read:
References :
- ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
- securityaffairs.com: New Mirai botnet variant Murdoc Botnet targets AVTECH IP cameras and Huawei HG532 routers
- The Hacker News: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
- Techzine Global: Mirai variant Murdoc_Botnet targets cameras and routers
- ciso2ciso.com: New Mirai Malware Variant Targets AVTECH Cameras, Huawei Routers – Source: www.infosecurity-magazine.com
- discuss.privacyguides.net: New botnet network targets Avtech cameras and Hauwei HG532 routers
- hackread.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
- bsky.app: Interesting research from Qualys here where they found a botnet that’s infected vulnerable AVTECH cameras and Huawei routers.
- cyberpress.org: New IoT Botnet Launching large-scale DDoS attacks Hijacking IoT Devices
- gbhackers.com: New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices
- securityonline.info: IoT Botnet Fuels Large-Scale DDoS Attacks Targeting Global Organizations
- ciso2ciso.com: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers – Source:thehackernews.com
- ciso2ciso.com: New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits
- Pyrzout :vm:: Mirai Variant Murdoc Botnet Exploits AVTECH IP Cameras and Huawei Routers
- ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices.
- ciso2ciso.com: Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices
- ciso2ciso.com: Details about the mitigation of the DDoS attack.
- gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
- ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- gbhackers.com: Record Breaking 5.6 Tbps DDoS attack Launched by Mirai Botnet
- securityonline.info: Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
- hackread.com: Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack
- gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
- BleepingComputer: The largest distributed denial-of-service (DDoS) attack to date peaked at 5.6 terabits per second and came from a Mirai-based botnet with 13,000 compromised devices.
- gbhackers.com: Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc, which has been targeting AVTECH cameras and Huawei HG532 routers since at least July 2024.
- securityonline.info: On October 29, 2024, Cloudflare revealed details of a DDoS attack orchestrated using a Mirai botnet comprising 13,000
- Pyrzout :vm:: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- blog.cloudflare.com: In 2024, Cloudflare's autonomous DDoS defense systems blocked 21.3M DDoS attacks, up 53% YoY, and 420 DDoS attacks in Q4 2024 exceeded 1 Tbps, up 1,885% QoQ (The Cloudflare Blog)
- Pyrzout :vm:: Cloudflare thwarts a massive 5.6 Tbps Mirai-variant DDoS attack targeting one of its customers
Zeljka Zorz@Help Net Security
//
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.
GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.
Recommended read:
References :
- gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
- The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
- Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
- gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
- thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
- www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
- ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
- BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
- securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
- securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
- ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
- www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
- : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
- Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
- www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
- vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
- www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
- Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming
MSSP Alert@MSSP feed for Latest
//
Multiple Mirai-based botnets have been actively exploiting a zero-day vulnerability, tracked as CVE-2025-1316, in Edimax IP cameras for nearly a year. The attacks targeting these vulnerable cameras began around May of last year, with intrusions observed by security researchers. While initial exploitation occurred in May, there was a pause before a resurgence in activity in September and again from January to February.
The attackers are leveraging default credentials on the Edimax devices to deploy the Mirai malware. A proof-of-concept exploit has been available since June 2023, suggesting possible earlier attack attempts. Edimax disclosed that a patch for the zero-day is not possible, because the affected IP cameras have reached end-of-life over 10 years ago and the source code and development environment are no longer available. Therefore, organizations are urged to ensure they are using up-to-date software and firmware on their devices to prevent botnet compromise.
Recommended read:
References :
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months. The earliest evidence of exploitation was traced back to October of last year, although public proof-of-concept had been available for over a year before that
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months. The earliest evidence of exploitation was traced back to October of last year, although public proof-of-concept had been available for over a year before that
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.
Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware.
Recommended read:
References :
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- cyble.com: One of the most concerning vulnerabilities in the new CISA catalog is , which affects the Edimax IC-7100 IP Camera. This vulnerability, identified on March 4, 2025, is an OS Command Injection Vulnerability that allows attackers to execute arbitrary commands on the device remotely.
- chemical-facility-security-news.blogspot.com: CISA Adds Edimax Vulnerability to KEV Catalog
- securityaffairs.com: U.S. CISA adds Edimax IC-7100 IP Camera, NAKIVO,Â
and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog
Zeljka Zorz@Help Net Security
//
Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.
GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.
Recommended read:
References :
- securityonline.info: Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!
- Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
- securityonline.info: Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
- Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- vulnerability.circl.lu: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- BleepingComputer: Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
@www.bleepingcomputer.com
//
Cloudflare has recently mitigated a record-breaking 5.6 Tbps DDoS attack, showcasing the increasing sophistication and scale of cyber threats. The attack, a Mirai-variant botnet attack, originated from approximately 13,000 IoT devices and targeted an East Asian Internet Service Provider. This follows a previous 3.8 Tbps DDoS attack mitigated by Cloudflare in October 2024. The new attack which lasted only 80 seconds and was successfully defended by Cloudflare's automated systems, highlights a worrying trend of escalating hyper-volumetric attacks, with attacks over 1Tbps increasing by a staggering 1,885% from the previous quarter. The company also noted a 53% increase in the frequency of all DDoS attacks throughout 2024, blocking an average of 4,870 attacks per hour.
A vulnerability in Cloudflare's CDN has also been identified that could expose users' general location. This vulnerability, discovered by a security researcher, allows a person's location to be determined by simply sending an image on platforms such as Signal and Discord. Cloudflare's CDN caches media at data centers closest to users, allowing their general location to be determined through cached responses to an image. It was found that this type of location tracking could achieve an accuracy between 50 and 300 miles, potentially creating privacy and security concerns. While Cloudflare has addressed the specific vulnerability, it has been noted that location attacks could still be performed via other methods.
Recommended read:
References :
- ciso2ciso.com: Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack – Source:hackread.com
- BleepingComputer: A security researcher discovered a flaw in Cloudflare's content delivery network (CDN), which could expose a person's general location by simply sending them an image on platforms like Signal and Discord.
- www.scworld.com: User location data exposure threatened by Cloudflare CDN vulnerability
|
|
FlagThis - #mirai