Sign in Subscribe
Vulnerability Exploits

Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet

Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet

cnPilot Router Zero-Day Exploit and AIRASHI DDoS Botnet

Overview

Threat actors have been exploiting a zero-day vulnerability in Cambium Networks' cnPilot routers to deploy a variant of the AISURU botnet known as AIRASHI. This botnet is designed to carry out distributed denial-of-service (DDoS) attacks and has been active since June 202414.

Key Details of the Exploit and Botnet

  • Zero-Day Vulnerability: The specific details of the zero-day vulnerability in cnPilot routers have been withheld to prevent further abuse. However, it is known that this vulnerability is being actively exploited by the threat actors14.

  • AIRASHI Botnet: AIRASHI is a sophisticated botnet that has evolved from the AISURU (also known as NAKOTNE) botnet. It was previously involved in DDoS attacks targeting the distribution platforms of the game "Black Myth: Wukong" in August 202414.

  • Capabilities and Variants:

    • AIRASHI-DDoS: This variant, detected in late October 2024, primarily focuses on DDoS attacks but also supports arbitrary command execution and reverse shell access.
    • AIRASHI-Proxy: Detected in early December 2024, this variant includes proxy functionality in addition to the DDoS capabilities14.

  • Encryption and Communication: AIRASHI employs sophisticated encryption protocols, including RC4 and ChaCha20, combined with HMAC-SHA256 for message integrity verification. The botnet uses a new network protocol involving key negotiation, HMAC verification, and encrypted message exchanges14.

  • Geographical Impact: The compromised devices are predominantly located in Brazil, Russia, Vietnam, and Indonesia, with primary targets including sectors in China, the United States, Poland, and Russia14.

  • Attack Capacity: The AIRASHI botnet maintains a consistent attack capacity ranging from 1 to 3 Tbps, as demonstrated through tests shared on Telegram14.

Exploited Vulnerabilities

In addition to the zero-day vulnerability in cnPilot routers, the AIRASHI botnet exploits several other known vulnerabilities, including:

  • CVE-2013-3307
  • CVE-2016-20016
  • CVE-2017-5259
  • CVE-2018-14558
  • CVE-2020-25499
  • CVE-2020-8515
  • CVE-2022-3573
  • CVE-2022-40005
  • CVE-2022-44149
  • CVE-2023-28771
  • Vulnerabilities in AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices14.

IoT Device Vulnerabilities in 2025

General IoT Vulnerabilities

IoT devices are inherently vulnerable due to several factors:

  • Diverse Nature: The lack of standardization in IoT devices makes them harder to secure2.
  • User Convenience and Cost-Effectiveness: IoT devices are often designed with user convenience and cost-effectiveness in mind, with security being an afterthought2.
  • Limited Processing Power and Memory: The limited resources in IoT devices restrict the implementation of robust security measures2.

Securing IoT Environments

To mitigate these vulnerabilities, several strategies are recommended:

  • Baseline Hardening: Securing known vulnerabilities using standards like NIST's Security Technical Implementation Guides (STIG) and Center for Internet Security (CIS) Benchmarks2.
  • Zero Trust: Assuming every interaction is a threat and implementing multifactor authentication, data encryption, and network segmentation2.
  • Stronger Authentication Protocols: Using multifactor authentication, biometric authentication, certificates, and digital signatures2.
  • Data Encryption: Ensuring data transmitted by IoT devices is encrypted2.
  • Updates and Patches: Regularly updating devices with security patches2.
  • Network Segmentation: Isolating IoT devices to prevent them from affecting critical systems if breached2.
  • AI and Machine Learning: Using these technologies to detect and respond to threats in real time2.

Predictions for 2025

Cybersecurity predictions for 2025 highlight the continued importance of securing IoT devices:

  • Increased Focus on IoT: Despite not being the primary focus in 2024, securing IoT devices remains critical due to their increasing presence and vulnerability to attacks5.
  • Talent Shortage and Tool Consolidation: The ongoing cybersecurity skills gap is expected to drive further vendor consolidation and the use of AI-augmented security tools to manage IoT and other device security5.

Conclusion

The exploitation of the zero-day vulnerability in cnPilot routers by the AIRASHI botnet underscores the persistent threat posed by unsecured IoT devices. As the number of connected devices is projected to exceed 75 billion in 2025, the importance of robust security measures, such as baseline hardening, Zero Trust, and regular updates, cannot be overstated25.

For more detailed technical breakdowns and mitigation strategies, refer to the reports from QiAnXin XLab and other cybersecurity resources14.

Read next

SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation - The Hacker News

SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation - The Hacker News

CVE-2025-23006: SonicWall Critical Vulnerability Overview CVE-2025-23006 is a critical vulnerability identified in SonicWall's SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). Here are the key details and recommendations: Vulnerability Details * CVE ID: CVE-2025-23006 * CVSS Score: 9.8, indicating a critical severity level45. * Type of Vulnerability: Pre-authentication
Geetansh