By rssfeeds-admin 
This malware campaign, linked to the Mirai botnet family, was first identified in mid-January 2026 and targets a wide range of vulnerabilities to infect devices and execute malicious code.
The Zerobot malware exploits two specific CVEs: CVE-2025-7544 and CVE-2025-68613, both of which were publicly disclosed before Akamai’s global honeypots observed active exploitation.
Exploit Mechanism
CVE-2025-7544 is a remote stack-based buffer overflow vulnerability affecting the /goform/setMacFilterCfg endpoint in Tenda AC1206 devices.
The flaw, discovered in mid-July 2025, stems from the mishandling of input to the deviceList parameter, allowing attackers to execute remote code and potentially launch denial-of-service (DoS) attacks.
Exploiting this vulnerability can allow attackers to execute arbitrary commands on the affected device.
A proof-of-concept (PoC) exploit for this vulnerability has been publicly shared and can be easily triggered by sending a crafted request to the vulnerable endpoint.
CVE-2025-68613, a remote code execution (RCE) vulnerability in the n8n workflow automation platform, was disclosed in December 2025.
This issue allows attackers to execute arbitrary code on the server by exploiting insecure expression evaluations in n8n workflows.
Unauthenticated users can exploit the vulnerability to access sensitive data, including environment variables, API keys, and configuration files.
This flaw is notable because it could enable lateral movement within networks, particularly given that n8n is used in critical infrastructure operations across various industries.
The Zerobot Campaign and Its Impact
The Zerobot malware campaign exploits these vulnerabilities to deploy Mirai-based botnet payloads. Akamai’s SIRT observed the attack in action, with attackers exploiting a Tenda router vulnerability to execute a buffer overflow.
This allows the botnet to install a malicious shell script, tol.sh, which then downloads and executes the primary Zerobot malware payload.
The attack was observed across the global network of honeypots, with attackers actively executing remote code and gaining control of compromised systems.
Zerobot, in its current iteration, uses advanced evasion techniques, including the downloading of payloads from Vercel-hosted domains and obfuscating malicious scripts.
Once deployed, the Zerobot botnet connects to a command-and-control (C2) server and runs a variety of attacks.
These include downloading a multi-stage infostealer toolkit that targets browser credentials, SSH keys, and Git repositories, ultimately stealing sensitive developer data.
| Vulnerability | Product | CVSS | Type | Affected Versions |
|---|---|---|---|---|
| CVE-2025-7544 | Tenda AC1206 | 8.8 | Buffer Overflow | 15.03.06.23 |
| CVE-2025-68613 | n8n | 9.9 | RCE via Expressions | 0.211.0 to 1.120.3, 1.121.0, early 1.122.x |
According to Akamai research, the Zerobot botnet campaign highlights the increasing sophistication of botnets that opportunistically exploit recently disclosed CVEs.
The targeting of widely-used IoT devices and critical infrastructure platforms like n8n illustrates how vulnerabilities in seemingly unrelated technologies can be weaponized.
Organizations using Tenda routers or the n8n platform must promptly patch their systems to mitigate the risks posed by these ongoing exploits.
Regular updates, monitoring for abnormal traffic, and leveraging network detection tools are essential to protecting against such threats.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Tenda Routers Hit By Zerobot Malware Exploiting Command Injection Flaw appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.