We'll explain why the habit of simplifying everything turned into a disaster.
The Zerobot malware network began actively exploiting vulnerabilities in Tenda routers and the n8n automation platform. The campaign was discovered by the Akamai team in January 2026, when it detected attacks on its own honeypot network. These are the first confirmed cases of exploitation of these vulnerabilities since their disclosure in the second half of 2025.
Zerobot is built on Mirai and targets vulnerabilities CVE-2025-7544 and CVE-2025-68613 . The former affects Tenda AC1206 routers with firmware version 15.03.06.23. A buffer overflow in the setMacFilterCfg handler allows for remote code execution via the deviceList parameter. A public exploitation example appeared shortly after the issue was disclosed, making it easier for attackers to exploit.
The second vulnerability is related to the expression processing system in n8n . Versions 0.211.0 through 1.20.4, as well as 1.21.1 and 1.22.0, allow arbitrary server commands to be executed due to a lack of isolation when evaluating expressions in worker processes. A non-administrative account is sufficient. Through this flaw, an attacker can read and modify files, obtain environment variables with API keys, and gain persistence in the attacked infrastructure. Since n8n is often used to integrate internal services and cloud platforms, a compromise creates the risk of lateral movement across the network.
Akamai analysts detected attempts to download the tol.sh script from the IP address 144.172.100.228. The script downloads zerobotv9 executables for various architectures and executes them. The malicious module is packed using UPX, contains encrypted strings, and accesses the control domain 0bot.qzz.io. The code includes a characteristic Mirai launch string and a set of embedded user agents to mask traffic.
According to the report, the operators began the campaign no later than December 2025, initially using netcat and socat to download the payload, then switching to curl and wget. In addition to new vulnerabilities, Zerobot scans for known legacy issues—specifically, CVE-2017-9841 , CVE-2021-3129 , and CVE-2022-22947 . This reflects a typical botnet tactic : quickly deploying published descriptions and ready-made exploits before system owners have installed updates.
The name Zerobot first appeared in Fortinet materials in 2022, but its connection to the previous operators remains unclear. Version 9 differs significantly from earlier samples in size and programming language, but retains certain elements of Mirai, including the XOR key 0xDEADBEEF.
Akamai has published indicators of compromise, rules for Snort and YARA, and a list of affected IP addresses and hashes. The company recommends that organizations scan Tenda routers and n8n installations, install updates, and restrict access to services from the external network.
The Zerobot malware network began actively exploiting vulnerabilities in Tenda routers and the n8n automation platform. The campaign was discovered by the Akamai team in January 2026, when it detected attacks on its own honeypot network. These are the first confirmed cases of exploitation of these vulnerabilities since their disclosure in the second half of 2025.
Zerobot is built on Mirai and targets vulnerabilities CVE-2025-7544 and CVE-2025-68613 . The former affects Tenda AC1206 routers with firmware version 15.03.06.23. A buffer overflow in the setMacFilterCfg handler allows for remote code execution via the deviceList parameter. A public exploitation example appeared shortly after the issue was disclosed, making it easier for attackers to exploit.
The second vulnerability is related to the expression processing system in n8n . Versions 0.211.0 through 1.20.4, as well as 1.21.1 and 1.22.0, allow arbitrary server commands to be executed due to a lack of isolation when evaluating expressions in worker processes. A non-administrative account is sufficient. Through this flaw, an attacker can read and modify files, obtain environment variables with API keys, and gain persistence in the attacked infrastructure. Since n8n is often used to integrate internal services and cloud platforms, a compromise creates the risk of lateral movement across the network.
Akamai analysts detected attempts to download the tol.sh script from the IP address 144.172.100.228. The script downloads zerobotv9 executables for various architectures and executes them. The malicious module is packed using UPX, contains encrypted strings, and accesses the control domain 0bot.qzz.io. The code includes a characteristic Mirai launch string and a set of embedded user agents to mask traffic.
According to the report, the operators began the campaign no later than December 2025, initially using netcat and socat to download the payload, then switching to curl and wget. In addition to new vulnerabilities, Zerobot scans for known legacy issues—specifically, CVE-2017-9841 , CVE-2021-3129 , and CVE-2022-22947 . This reflects a typical botnet tactic : quickly deploying published descriptions and ready-made exploits before system owners have installed updates.
The name Zerobot first appeared in Fortinet materials in 2022, but its connection to the previous operators remains unclear. Version 9 differs significantly from earlier samples in size and programming language, but retains certain elements of Mirai, including the XOR key 0xDEADBEEF.
Akamai has published indicators of compromise, rules for Snort and YARA, and a list of affected IP addresses and hashes. The company recommends that organizations scan Tenda routers and n8n installations, install updates, and restrict access to services from the external network.
