Akamai SIRT specialists have uncovered a vulnerability within Edimax products actively exploited to enlist IoT devices into malicious botnets. Although initial indicators of exploitation for CVE-2025-1316 (CVSS: 9.3) emerged in October 2024, discovered proof-of-concept evidence suggests the existence of this Zero-Day vulnerability since June 2023.
During their investigation, experts detected activity from multiple botnets exploiting this flaw. Among them are numerous Mirai variants and additional malware strains leveraging not only CVE-2025-1316 but also other well-documented vulnerabilities, including exploits targeting the Docker API. Consequently, compromised devices are assimilated into botnets, posing significant risks to their owners and potentially facilitating attacks against corporate infrastructures.
Attackers exploit the vulnerability via the NTP_serverName parameter, where malicious code is injected into commands. Authentication typically occurs using default credentials—admin:1234—widely prevalent in Edimax devices. The vulnerability impacts more than just the explicitly mentioned IC-7100 model; several other Edimax devices are similarly susceptible.
During monitoring, analysts recorded activities by multiple botnets leveraging this exploit. The malicious payload, decrypted by SIRT, involved downloading and executing a script named curl.sh. This script retrieves executable binaries compatible with different architectures, including x86 and ARM. Upon successful installation, the malware displays “VagneRHere” on the console, marking its execution.
In addition to Edimax devices, the adversaries employ similar strategies against other IoT hardware. A separate botnet exploiting the same vulnerability operates similarly but differentiates itself with malicious files prefixed by “.S”. This botnet employs sophisticated techniques, including antivirus evasion mechanisms and anti-debugging features, to enhance its resilience.
Furthermore, attackers exploit vulnerabilities beyond Edimax, targeting other technologies through methods such as Docker API exploits, Open NTP abuse, CVE-specific vulnerabilities, and leveraging anti-analysis capabilities. Techniques to bypass antivirus and debugging mechanisms indicate a sophisticated threat landscape.
The proliferation of Mirai-based botnets remains an enduring cybersecurity challenge, exacerbated by readily adaptable malware code and widely available guides on botnet construction. The fundamental attack vector continues to rely on exploiting outdated devices, primarily through default or weak authentication credentials.
To mitigate these threats, experts recommend changing default credentials immediately, enforcing network access restrictions, monitoring traffic meticulously, implementing robust access controls, and discontinuing or limiting remote management capabilities.
