An unpatched security flaw impacting the Edimax IC-7100 network camera is being exploited by threat actors to deliver Mirat botnet malware variants since at least May 2024.
The vulnerability in question is CVE-2025-1316 (CVSS v4 score: 9.3), a critical operating system command injection flaw that an attacker could exploit to achieve remote code execution on susceptible devices by means of a specially crafted request.
Web infrastructure and security company Akamai said the earliest exploit attempt targeting the flaw dates back to May 2024, although a proof-of-concept (PoC) exploit has been publicly available since June 2023.
“The exploit targets the /camera-cgi/admin/param.cgi endpoint in Edimax devices, and injects commands into the NTP_serverName option as part of the ipcamSource option of param.cgi,” Akamai researchers Kyle Lefton and Larry Cashdollar said.
While weaponizing the endpoint requires authentication, it has been found that the exploitation attempts are making use of default credentials (admin:1234) to obtain unauthorized access.
At least two different Mirai botnet variants have been identified as exploiting the vulnerability, with one of them also incorporating anti-debugging functionality prior to running a shell script that retrieves the malware for different architectures.
The end goal of these campaigns is to corral the infected devices into a network capable of orchestrating distributed denial-of-service (DDoS) attacks against targets of interest over TCP and UDP protocols.
Furthermore, the botnets have been observed exploiting CVE-2024-7214, which affects TOTOLINK IoT devices, and CVE-2021-36220, and a Hadoop YARN vulnerability.
In an independent advisory published last week, Edimax said the CVE-2025-1316 affects legacy devices that are no longer actively supported and that it has no plans to provide a security patch since the model was discontinued over 10 years ago.
Given the absence of an official patch, users are advised to either upgrade to a newer model, or avoid exposing the device directly over the internet, change the default admin password, and monitor access logs for any signs of unusual activity.
“One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices,” Akamai said.
“The legacy of Mirai continues to plague organizations worldwide as the propagation of Mirai malware–based botnets shows no signs of stopping. With all sorts of freely available tutorials and source code (and, now, with AI assistance) spinning up a botnet has become even easier.”
