Akamai SIRT identifies Mirai variant campaign actively targeting critical RCE flaws in automation platforms and routers
Mirai #Zerobot #Botnet #n8n #Tenda #CVE-2025-68613 #CVE-2025-7544
Affected products
n8n workflow automation platform (versions 0.211.0 prior to 1.120.4, 1.121.1 and 1.122.0) and Tenda AC1206 routers (firmware 15.03.06.23)
Campaign type
Mirai-based botnet propagation via command injection and buffer overflow
Exploitation status
Observed in the wild
Severity
Critical
Patch / mitigation status
Available for n8n since December 2025; Tenda firmware updates recommended
Sectors at risk
Organisations using self-hosted automation platforms and exposed IoT routers
Regions at risk
Global
Publication context
New report
Executive Summary
The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of two critical vulnerabilities by a Mirai-based botnet dubbed Zerobot. The campaign, which dates back to at least December 2025, targets CVE-2025-68613 in the n8n automation platform and CVE-2025-7544 in Tenda AC1206 routers. Activity was first detected in Akamai’s global honeypot network in mid-January 2026.
Targeting of n8n is particularly significant because the platform is often deployed in enterprise environments for critical workflow automation. Successful compromise could enable lateral movement and persistence beyond typical IoT botnet behaviour. Public proof-of-concept exploits exist for both vulnerabilities.
Akamai has published a comprehensive list of indicators of compromise to support defensive action.
Context
Zerobot represents an evolution of Mirai botnet tooling that opportunistically exploits recently disclosed vulnerabilities rather than relying on zero-days. The campaign began with simpler netcat and socat techniques in December 2025 before shifting to wget and curl-based downloaders in January 2026.
While earlier Zerobot activity was documented by Fortinet in 2022, the relationship between that Go-based family and the current zerobotv9 variant remains unconfirmed. This iteration uses a smaller, non-Go binary with the classic Mirai XOR key 0x22 and introduces additional attack functions including TCPXmas, Mixamp, SSH and Discord.
The n8n targeting marks a departure from purely IoT-focused campaigns and increases risk to organisational infrastructure.
Technical Analysis
Zerobot exploits two vulnerabilities to achieve remote code execution and deliver its payload.
CVE-2025-7544 (Tenda AC1206) is a remote stack-based buffer overflow in the /goform/setMacFilterCfg endpoint. It affects firmware version 15.03.06.23 and is triggered via the deviceList parameter. The vulnerability occurs in the parse_macfilter_rule function where unchecked input is passed to strcpy, allowing stack overflow and arbitrary code execution. According to the NVD entry for CVE-2025-7544, exploitation can lead to denial of service or full remote code execution. A public proof-of-concept is available.
CVE-2025-68613 (n8n) is an authenticated remote code execution vulnerability in the workflow expression evaluation engine. It affects n8n versions from 0.211.0 up to but excluding the patched releases 1.120.4, 1.121.1 and 1.122.0. Insufficient sandboxing allows authenticated users (even without administrative privileges) to escape the expression context and execute arbitrary system commands. According to the n8n security advisory, successful exploitation grants full server access, including file read/write operations and environment variable theft. The n8n advisory and NVD entry for CVE-2025-68613 provide full technical details.
In observed attacks, the initial exploit requests download a shell script (tol.sh) from IP address 144.172.100.228. This script then fetches architecture-specific zerobotv9 binaries (x86, MIPS, ARM, PPC and others) and executes them. The malware connects to the hard-coded C2 domain 0bot.qzz.io and includes the execution string “bruh why again”.
Observed techniques map to the following MITRE ATT&CK entries:
- T1190 – Exploit Public-Facing Application
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- T1105 – Ingress Tool Transfer
The same downloader logic appears in attacks against older vulnerabilities such as CVE-2017-9841, CVE-2021-3129 and CVE-2022-22947.
MITRE ATT&CK mapping
| Tactic | Technique | Technique name | Observed behaviour |
|---|---|---|---|
| Reconnaissance | T1595 | Active Scanning | Internet-wide probing for vulnerable endpoints and exposed services |
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of n8n and router web endpoints for code execution |
| Execution | T1059 | Command and Scripting Interpreter | Shell command chains to stage and execute payloads |
| Command and Control | T1105 | Ingress Tool Transfer | Download of tol.sh and multi-arch zerobotv9 payloads |
| Defence Evasion | T1070 | Indicator Removal | Script-level cleanup, deletion of dropped files, history clearing |
| Impact | T1498 | Network Denial of Service | Mirai-derived bot capability for DDoS tasking |
Impact Assessment
Compromise of n8n instances poses elevated risk because the platform frequently integrates with databases, cloud services and internal systems. Attackers could exfiltrate sensitive data, steal API keys or establish persistence within enterprise environments. Tenda router infections contribute to distributed denial-of-service capacity in the classic Mirai model.
Given the low barrier to entry for Mirai variants and the availability of public PoCs, organisations with exposed instances face immediate threat.
Indicators of Compromise
Akamai SIRT has provided the following IOCs with high confidence.
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| IPv4 | 144.172.100.228 | Downloader host for tol.sh | Akamai SIRT | Confirmed |
| IPv4 | 140.233.190.96 | Secondary downloader / TFTP server | Akamai SIRT | Confirmed |
| IPv4 | 172.86.123.179 | Associated infrastructure | Akamai SIRT | Confirmed |
| IPv4 | 216.126.227.101 | Associated infrastructure | Akamai SIRT | Confirmed |
| IPv4 | 103.59.160.237 | Associated infrastructure | Akamai SIRT | Confirmed |
| Domain | 0bot.qzz.io | Primary C2 domain | Akamai SIRT | Confirmed |
| Domain | andro.notemacro.com | Malware distribution path | Akamai SIRT | Confirmed |
| Domain | pivot.notemacro.com | Malware distribution path | Akamai SIRT | Confirmed |
| SHA256 | c8e8b627398ece071a3a148d6f38e46763dc534f9bfd967ebc8ac3479540111f | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | 360467c3b733513c922b90d0e222067509df6481636926fa1786d0273169f4da | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | cc1efbca0da739b7784d833e56a22063ec4719cd095b16e3e10f77efd4277e24 | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | 045a1e42cb64e4aa91601f65a80ec5bd040ea4024c6d3b051cb1a6aa15d03b57 | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | d024039824db6fe535ddd51bc81099c946871e4e280c48ed6e90dada79ccfcc7 | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | deb70af83a9b3bb8f9424b709c3f6342d0c63aa10e7f8df43dd7a457bda8f060 | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | 6e4e797262c80b9117aded5d25ff2752cd83abe631096b66e120cc3599a82e4e | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | 2fdb2a092f71e4eba2a114364dc8044a7aa7f78b32658735c5375bf1e4e8ece3 | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | 263a363e2483bf9fd9f915527f5b5255daa42bbfa1e606403169575d6555a58c | zerobotv9 sample | Akamai SIRT | Confirmed |
| SHA256 | d7112dd3220ccb0b3e757b006acf9b92af466a285bbb0674258bcc9ad463f616 | zerobotv9 sample | Akamai SIRT | Confirmed |
Detection guidance
Akamai SIRT has released the following rules (sourced directly from their report):
Snort rules for malicious IPs and C2 domains are available in the original post.
YARA rule Mirai_Malware_IOCs_1 detects strings including “bruh why again”, “mamakmukekkontol” and the listed domains and hashes.
Mitigation Recommendations
- Upgrade n8n immediately to version 1.122.0 or later.
- Update Tenda AC1206 firmware or isolate devices from the internet.
- Block all listed IOCs at network perimeter and endpoint layers.
- Restrict n8n workflow editing permissions to trusted users only.
- Monitor for suspicious process executions and outbound connections to the listed domains.
- Deploy network segmentation to limit lateral movement from compromised automation servers.
Threat Intelligence Context
This activity continues the long-standing Mirai ecosystem trend of low-effort, high-volume exploitation of n-day vulnerabilities. The inclusion of enterprise automation platforms alongside traditional IoT targets reflects broadening attacker interest in higher-value infrastructure. Similar campaigns have repeatedly demonstrated that public PoCs accelerate widespread exploitation within weeks of disclosure.
Future Outlook
Expect continued opportunistic targeting of recently disclosed vulnerabilities in automation and IoT products. Botnet operators will likely incorporate additional n-day exploits as they become public, with low-skill actors reusing modified Mirai code or AI-assisted tooling to maintain operations below the radar of major takedowns.
Further Reading
- Akamai SIRT research: Zerobot Malware Targets n8n Automation Platform
- n8n security advisory for CVE-2025-68613
- NVD entry for CVE-2025-68613
- NVD entry for CVE-2025-7544
- Fortinet 2022 analysis of original Zerobot campaign