Unpatched Edimax Camera Flaw Exploited for Mirai Botnet Attacks Since Last Year
Summary:
According to security researchers at Akamai, a critical command injection flaw impacting the Edimax IC-7100 network camera has been exploited in attacks in the wild since at lest May 2024 to deliver Mirai botnet malware variants. The vulnerability in question is being tracked as CVE-2025-1316, and can enable actors to achieve remote code execution on vulnerable devices via a specially crafted request. “The exploit targets the /camera-cgi/admin/param.cgi endpoint in Edimax devices, and injects commands into the NTP_serverName option as part of the ipcamSource option of param.cgi. This exploit requires authentication, and all the exploit attempts we observed were passing default credentials; typically admin:1234, which is the default credentials for Edimax devices,” notes Akamai in its new blog post.
Security Officer Comments:
Akamai reported that it identified a proof-of-concept (POC) exploit for CVE-2025-1316 as early as June 2023. The extended exposure window since then has provided threat actors with ample opportunity to exploit the vulnerability, allowing them to compromise vulnerable Edimax cameras. These compromised devices have subsequently been incorporated into the Mirai botnet, potentially fueling future operations, including large-scale distributed denial-of-service attacks.
Suggested Corrections:
Mirai botnet has been also observed targeting other vulnerabilities such as a Docker API exploit and CVE-2021-36220 (a Hadoop YARN vulnerability), highlighting the need for organizations to apply patches as soon as they become available. In the case of CVE-2025-1316, the vulnerability impacts Edimax’s IC-7100 network camera, which has reached end of life support, making it particularly vulnerable to potential attacks. In the absence of an official patch, users are recommended to either upgrade to a newer model or take precautions such as avoiding direct exposure of the device to the internet, changing the default admin password, and regularly monitoring access logs for any signs of suspicious activity.
Akamai has shared IOCs, as well as Snort and Yara rules to help defenders, which can be accessed here.
Link(s):
https://thehackernews.com/2025/03/unpatched-edimax-camera-flaw-exploited.html
According to security researchers at Akamai, a critical command injection flaw impacting the Edimax IC-7100 network camera has been exploited in attacks in the wild since at lest May 2024 to deliver Mirai botnet malware variants. The vulnerability in question is being tracked as CVE-2025-1316, and can enable actors to achieve remote code execution on vulnerable devices via a specially crafted request. “The exploit targets the /camera-cgi/admin/param.cgi endpoint in Edimax devices, and injects commands into the NTP_serverName option as part of the ipcamSource option of param.cgi. This exploit requires authentication, and all the exploit attempts we observed were passing default credentials; typically admin:1234, which is the default credentials for Edimax devices,” notes Akamai in its new blog post.
Security Officer Comments:
Akamai reported that it identified a proof-of-concept (POC) exploit for CVE-2025-1316 as early as June 2023. The extended exposure window since then has provided threat actors with ample opportunity to exploit the vulnerability, allowing them to compromise vulnerable Edimax cameras. These compromised devices have subsequently been incorporated into the Mirai botnet, potentially fueling future operations, including large-scale distributed denial-of-service attacks.
Suggested Corrections:
Mirai botnet has been also observed targeting other vulnerabilities such as a Docker API exploit and CVE-2021-36220 (a Hadoop YARN vulnerability), highlighting the need for organizations to apply patches as soon as they become available. In the case of CVE-2025-1316, the vulnerability impacts Edimax’s IC-7100 network camera, which has reached end of life support, making it particularly vulnerable to potential attacks. In the absence of an official patch, users are recommended to either upgrade to a newer model or take precautions such as avoiding direct exposure of the device to the internet, changing the default admin password, and regularly monitoring access logs for any signs of suspicious activity.
Akamai has shared IOCs, as well as Snort and Yara rules to help defenders, which can be accessed here.
Link(s):
https://thehackernews.com/2025/03/unpatched-edimax-camera-flaw-exploited.html