Mirai Variant Nexcorium Exploits CVE-2024-3721 to Compromise TBK DVRs and Launch DDoS Attacks

Recent investigations by Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have uncovered that threat actors are actively exploiting vulnerabilities in TBK DVR devices and end-of-life (EoL) TP-Link Wi-Fi routers. This exploitation facilitates the deployment of Mirai-botnet variants, notably a new variant known as Nexcorium, on compromised devices. The ramifications of these attacks are considerable, underscoring persistent vulnerabilities in Internet of Things (IoT) devices and the ongoing threat landscape they represent.

Understanding the Vulnerability

The attacks specifically target TBK DVR devices by leveraging a command injection vulnerability designated as CVE-2024-3721, which carries a CVSS score of 6.3. This medium-severity vulnerability impacts TBK DVR-4104 and DVR-4216 models, allowing attackers to deploy the Nexcorium variant of the Mirai botnet. Security researcher Vincent Li has highlighted that IoT devices are becoming increasingly attractive targets for large-scale attacks due to their widespread adoption, insufficient patching, and often inadequate security configurations.

Li noted that threat actors continue to exploit known vulnerabilities to gain initial access and deploy malware capable of persisting, spreading, and executing distributed denial-of-service (DDoS) attacks.

Historical Context of the Vulnerability

CVE-2024-3721 has a history of exploitation. Over the past year, it has been used to deploy various Mirai variants and a newer botnet called RondoDox. In September 2025, CloudSEK reported on a large-scale loader-as-a-service botnet that distributed RondoDox, Mirai, and Morte payloads through weak credentials and outdated vulnerabilities in routers, IoT devices, and enterprise applications.

The exploitation of CVE-2024-3721 involves dropping a downloader script that launches the botnet payload tailored to the architecture of the Linux system. Upon execution, the malware displays a message indicating that “nexuscorp has taken control.”

Technical Details of the Nexcorium Botnet

Nexcorium exhibits architectural similarities to previous Mirai variants, including XOR-encoded configuration table initialization, a watchdog module, and a DDoS attack module. The malware also exploits CVE-2017-17215 to target Huawei HG532 devices within the network. It contains a list of hard-coded usernames and passwords to facilitate brute-force attacks via Telnet connections.

If successful, the malware attempts to obtain a shell, establish persistence using crontab and systemd service, and connect to an external server to await commands for launching DDoS attacks across various protocols, including UDP, TCP, and SMTP. Once persistence is established, the malware deletes the original downloaded binary to evade detection and analysis.

Fortinet has remarked that the Nexcorium malware displays typical characteristics of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to maintain long-term access to infected systems. The use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, emphasizes its adaptability and effectiveness in expanding its infection reach.

Ongoing Threats and Security Measures

Unit 42 has also reported ongoing automated scans and probes attempting to exploit CVE-2023-33538, another command injection vulnerability affecting EoL TP-Link wireless routers. Although these attempts have been flawed and unsuccessful, they confirm the existence of genuine vulnerabilities that can be exploited. This vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025 and impacts several TP-Link models, including TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10.

Researchers Asher Davila, Malav Vyas, and Chris Navarrete have stated that while the observed attacks were flawed and would likely fail, their analysis confirms the underlying vulnerability is real. Successful exploitation requires authentication to the router’s web interface, making it crucial for users to implement robust security measures.

Recommendations for Users

Given that the affected TP-Link devices are no longer actively supported, users are strongly encouraged to replace them with newer models and ensure that default credentials are not utilized. The ongoing risk associated with default credentials in IoT devices continues to shape the security landscape, as these credentials can transform a limited, authenticated vulnerability into a critical entry point for determined attackers.

Unit 42 has emphasized that the security landscape will continue to be influenced by the persistent risk of default credentials in IoT devices. As the cybersecurity landscape evolves, organizations and individuals must remain vigilant and proactive in addressing vulnerabilities in IoT devices. The exploitation of CVE-2024-3721 by the Nexcorium variant serves as a stark reminder of the ongoing challenges in securing interconnected devices.

For further insights, refer to the original reporting source: cyberwarriorsmiddleeast.com.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-04-18 21:20:00 • By the Editorial Desk