The recent alert issued by the Akamai Security Intelligence and Response Team (SIRT) has shed light on the exploitation of a critical command injection vulnerability found in Edimax Internet of Things (IoT) devices. This vulnerability, officially identified as CVE-2025-1316, has become a popular target for multiple botnets aiming to distribute the infamous Mirai malware.
The CVE-2025-1316 vulnerability specifically focuses on the /camera-cgi/admin/param.cgi endpoint in Edimax devices, enabling malicious actors to insert commands into the NTP_serverName option within the ipcamSource parameter. The successful exploitation of this vulnerability relies on the use of default credentials like admin:1234. While the CVE mentions Edimax’s IC-7100 network camera, it is likely that a broader range of Edimax devices is affected.
According to the Akamai SIRT, the activity targeting this vulnerability was initially detected in early October 2024 through their honeypots. However, the proof of concept (PoC) exploit for this vulnerability can be traced back to June 2023. The first observed exploit attempts occurred in May 2024, with heightened activity seen in September 2024 and January-February 2025, perpetrated by various botnets, including different iterations of Mirai.
The exploit payload involves injecting commands to execute a shell script on the compromised device. The request payload includes downloading and running a variant of the Mirai malware suitable for various architectures such as ARM, MIPS, and x86.
Once the malware is downloaded, execution commands are deployed to ensure its operation on the device. These commands differ based on the device’s architecture, like MIPS and ARM.
Two distinct botnets have been identified utilizing this vulnerability. The first botnet employs the exploit to download and execute a curl.sh script, communicating with the command and control (C2) server through angela.spklove[.]com over port 3093. The malware displays “VagneRHere” once executed. On the other hand, the second botnet downloads and executes a wget.sh script, which then runs the Mirai malware with antidebugging features, displaying “Hello, World!” upon execution.
Both botnets take advantage of several known vulnerabilities, including a Docker API exploit and CVE-2024-7214 affecting TOTOLINK devices.
To mitigate these threats, it is recommended to replace outdated or vulnerable devices with newer models, use strong and unique passwords across all devices, monitor networks for unusual activity, and implement security measures like firewalls and intrusion detection systems to fend off exploit attempts.
As the shadow of the Mirai malware looms over IoT security, it is imperative for individuals and organizations to remain informed and proactive in safeguarding IoT devices. The continuous exploitation of Edimax IoT devices serves as a stark reminder of the risks associated with legacy firmware and the omnipresent threat of Mirai malware. Adhering to regular monitoring practices and adopting proactive security strategies are crucial steps in defending against ever-evolving cyber threats.