A new botnet called C0XMO is infecting DD-WRT routers and other internet-connected devices so they can be used in denial-of-service attacks. Fortinet says the malware exploits CVE-2021-27137, an unauthenticated buffer overflow in DD-WRT, and also brute-forces Telnet and SSH logins while carrying binaries for multiple CPU architectures including ARM, MIPS, PowerPC, x86, and x86_64. The botnet establishes persistence with cron jobs and startup-file changes, then removes rival malware and tooling from infected systems.
Why it matters: Organizations and users with exposed routers, DVRs, and similar devices may be silently pulled into a botnet and used in attacks. Patch affected firmware where available, disable unnecessary remote administration, and change weak or reused device credentials immediately.
Bill Toulas
2026.06.07
100% relevant
This article appears to be the first tracked item establishing the C0XMO botnet campaign and its use of CVE-2021-27137 in DD-WRT devices.
← Back to all stories