Mirai Botnets Are Hijacking End-of-Life Routers in 2026, Is Yours One?
New Mirai variants are mass-exploiting old TP-Link and D-Link routers via known flaws. If your router is past end-of-life, it may already be in a botnet.
If your home or small-office router is more than a few years old and no longer getting firmware updates, it may already be working for someone else. Through 2026, multiple Mirai botnet variants have been mass-exploiting known flaws in end-of-life routers and DVRs, turning forgotten hardware into engines for DDoS attacks. The vulnerabilities are not new or sophisticated; the devices are simply unpatched, unsupported, and reachable from the internet. That combination is all a botnet needs.
Quick answer
If your router is past end-of-life and still reachable from the internet, assume it is a botnet target. Check the manufacturer's support page for your exact model: if it no longer gets firmware updates, replace it, because there is no patch coming. For supported models, install the latest firmware, change the default admin password, and disable WAN-side remote management. The 2026 Mirai variants are not clever zero-days; they harvest unpatched, unsupported TP-Link and D-Link gear with default logins.
Key takeaways
- New Mirai variants are exploiting known flaws in end-of-life TP-Link and D-Link routers (and TBK DVRs) to build DDoS botnets.
- A variant called "tuxnokill" exploits CVE-2025-29635 in D-Link DIR-823X routers; "Nexcorium" exploits CVE-2024-3721 in TBK DVRs; the "Ballista" botnet targets TP-Link Archer routers.
- CISA has flagged actively exploited TP-Link router flaws (including CVE-2023-50224 and CVE-2025-9377) and urged affected users to disconnect unsupported devices.
- The common thread is end-of-life status: discontinued devices stop receiving patches, so known flaws and default credentials stay open indefinitely.
- The fix is blunt, replace unsupported routers, change default credentials, and disable remote management, because there is no patch coming for hardware the vendor has abandoned.
Why end-of-life routers are sitting ducks
A botnet operator does not need a clever zero-day. They need devices that are (1) exposed to the internet, (2) running software with a publicly known flaw, and (3) never going to be patched. End-of-life routers check all three boxes. Once a manufacturer discontinues a model, it stops shipping firmware updates, so any vulnerability disclosed after that date stays open forever. Add default or weak admin credentials, which are common on older consumer gear, and the device is trivial to enslave.
Mirai and its many variants automate this at scale, scanning the internet continuously for known-vulnerable models and default logins, then conscripting them. The owner usually never notices, the router keeps working while quietly participating in DDoS attacks.
There is a second cost beyond being part of someone else's botnet. A compromised router sits at the chokepoint of your whole network, so an attacker who controls it can change your DNS settings to redirect you to phishing pages, intercept unencrypted traffic, or pivot to other devices on your LAN. That is why "it still gives me Wi-Fi" is not the same as "it is safe to keep." The fix costs the price of a current router, and a supported mid-range model with automatic firmware updates is inexpensive insurance against a device that will otherwise be found and abused on a long enough timeline.
The 2026 campaigns
Several distinct botnets are running in parallel, each keyed to a specific old flaw in abandoned hardware:
| Campaign | Targets | Flaw exploited |
|---|---|---|
| tuxnokill | D-Link DIR-823X routers | CVE-2025-29635 (command injection), weaponized about a year after disclosure |
| Nexcorium | TBK DVRs | CVE-2024-3721 |
| Ballista | TP-Link Archer routers | RCE flaw, linked to Italian threat actors hitting US orgs |
| CISA-flagged TP-Link | Unsupported TP-Link devices | CVE-2023-50224, CVE-2025-9377 (confirmed actively exploited) |
CISA has urged users of the affected, unsupported TP-Link devices to disconnect and replace them. The broader Masjesu botnet, active since early 2023, continues to exploit known flaws across D-Link, Netgear, Huawei, TP-Link, and other vendors' gear, a reminder that this is an ongoing, multi-vendor problem, not a one-off.
Warning
There is no patch for an end-of-life router. If the vendor has stopped supporting your model, the only real fix is to replace it. Keeping a known-vulnerable, unsupported device on the internet means it will eventually be found and abused.
What to do
- Find out if your router is end-of-life. Check the manufacturer's support page for your exact model. If it no longer receives firmware updates, plan to replace it.
- Update firmware if support still exists. For supported models, install the latest firmware immediately and enable automatic updates if available, many of these flaws are already patched on current builds.
- Replace abandoned hardware. For discontinued models (including the affected TP-Link and D-Link units), buy a newer router that is actively supported. CISA's guidance for some exploited models is to disconnect them.
- Change default credentials. Set a strong, unique admin password. Default logins are a primary path Mirai uses.
- Disable remote management. Turn off WAN-side access to the admin panel so the device's login page is not reachable from the internet, where botnets scan constantly.
For the complete set of router hardening steps, our 10-minute secure-home-router checklist walks through WPA3, encrypted DNS, WPS, and IoT segmentation. And because compromised IoT often starts with a misconfigured network, the device-isolation advice in that guide limits the damage if one gadget is taken over.
Frequently asked questions
How would I know if my router is in a botnet?
It is often invisible, the router keeps working normally. Possible signs include unexplained slowdowns, the device running hot, or your IP being flagged for abusive traffic. The safer approach is preventive: if your router is end-of-life or runs old firmware, assume it is at risk and replace or update it.
My router still works fine. Why replace it?
Functioning and secure are different things. A discontinued router that works perfectly can still be running a publicly known, unpatched flaw that botnets exploit. "It still works" is exactly why so many vulnerable devices stay online.
Are only cheap routers affected?
No. The 2026 campaigns hit mainstream TP-Link and D-Link consumer models. The deciding factor is not price or brand but whether the device is still supported and patched.
I changed my Wi-Fi password. Am I protected?
That helps, but it is not enough. These attacks exploit firmware flaws and the admin interface, not your Wi-Fi passphrase. You also need to change the admin password, disable remote management, and, if the device is unsupported, replace it.
The bottom line
Mirai botnets in 2026 are not breaking new ground; they are harvesting the huge population of end-of-life routers that will never be patched. Check whether your model is still supported, update it if it is, replace it if it is not, change the default admin password, and turn off remote management. An abandoned router on the internet is a botnet recruit waiting to happen.
Sources & further reading
- thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html
- helpnetsecurity.com/2026/04/22/new-mirai-variants-target-routers-and-dvrs-via-old-flaws/
- securityweek.com/mirai-botnet-targets-flaw-in-discontinued-d-link-routers/
- thehackernews.com/2025/09/cisa-flags-tp-link-router-flaws-cve.html
- cybersecuritydive.com/news/-botnet-exploits-tp-link-router/742319/
