### TBK DVR Devices Targeted via CVE-2024-3721 **Fortinet** reports that attackers are leveraging **CVE-2024-3721** (CVSS score: 6.3), a command injection vulnerability, in **TBK DVR-4104** and **DVR-4216** digital video recording devices. This flaw allows for the deployment of a **Mirai** variant dubbed **Nexcorium**. Security researcher Vincent Li noted, "IoT devices are increasingly prime targets for large-scale attacks due to their widespread use, lack of patching, and often weak security settings. Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks." This vulnerability has been previously exploited to deploy other **Mirai** variants and the **RondoDox** botnet. In September 2025, **CloudSEK** revealed a loader-as-a-service botnet distributing **RondoDox**, **Mirai**, and **Morte** payloads. The exploit chain involves using **CVE-2024-3721** to download and execute a script that fetches the botnet payload based on the system's architecture. Upon execution, the malware displays "nexuscorp has taken control." ### Nexcorium Botnet Capabilities **Nexcorium** shares architectural similarities with other **Mirai** variants, including XOR-encoded configuration, a watchdog module, and DDoS attack capabilities. The malware also exploits **CVE-2017-17215** to target **Huawei HG532** devices. It further employs a list of hard-coded credentials for brute-force attacks via Telnet. Successful logins lead to shell access, persistence setup using crontab and systemd, and connection to an external server for DDoS commands (UDP, TCP, and SMTP). The original downloaded binary is then deleted to hinder analysis. **Fortinet** emphasizes that **Nexcorium** exhibits typical traits of modern IoT botnets, combining vulnerability exploitation, multi-architecture support, and persistence mechanisms. Its use of known exploits like **CVE-2017-17215** and extensive brute-force capabilities enhance its infection reach. ### TP-Link Router Vulnerability (CVE-2023-33538) Exploitation Attempts **Unit 42** has detected active scans targeting **CVE-2023-33538** (CVSS score: 8.8), a command injection vulnerability affecting end-of-life **TP-Link** wireless routers. Although the observed attacks were flawed, the underlying vulnerability is confirmed. This flaw was added to **CISA**'s Known Exploited Vulnerabilities (KEV) catalog in June 2025 and impacts the following models: * TL-WR940N v2 and v4 * TL-WR740N v1 and v2 * TL-WR841N v8 and v10 Researchers Asher Davila, Malav Vyas, and Chris Navarrete from **Unit 42** stated that successful exploitation requires authentication to the router's web interface. The attacks attempt to deploy a **Mirai**-like botnet malware referencing "Condi." The malware can update itself and act as a web server to spread the infection. ### Mitigation and Recommendations Given that the affected **TP-Link** devices are no longer supported, users should replace them with newer models and avoid using default credentials. **Unit 42** warns that default credentials in IoT devices remain a significant security risk, turning authenticated vulnerabilities into critical entry points for attackers.