🟡 CVE-2025-3800: A vulnerability has been found... 🟡 CVE-2025-3799: A vulnerability, which was cla... 🟡 CVE-2025-3798: A vulnerability, which was cla... 🟡 CVE-2025-3661: The SB Chart block plugin for ... ⚠️ CVE-2025-3404: The Download Manager plugin fo... 🔥 CVE-2021-4455: The Wordpress Plugin Smart Pro... 🟡 CVE-2025-3797: A vulnerability classified as ... ⚠️ CVE-2025-3809: The Debug Log Manager plugin f... ⚠️ CVE-2025-2111: The Insert Headers And Footers... ⚠️ CVE-2025-3103: The CLEVER - HTML5 Radio Playe... 🟡 CVE-2025-3275: The Themesflat Addons For Elem... 🟡 CVE-2025-1457: The Element Pack Addons for El... 🔥 CVE-2025-1093: The AIHub theme for WordPress ... 🟡 CVE-2025-3284: The User Registration & Member... 🔥 CVE-2025-3278: The UrbanGo Membership plugin ... ⚠️ CVE-2025-2010: The JobWP – Job Board, Job Lis... 🟡 CVE-2025-43903: NSSCryptoSignBackend.cc in Pop... 🟡 CVE-2025-3796: A vulnerability classified as ... ⚠️ CVE-2025-32953: z80pack is a mature emulator o... 🟡 CVE-2025-3795: A vulnerability was found in D... 🟡 CVE-2025-36625: In Nessus versions prior to 10... 🟡 CVE-2025-32377: Rasa Pro is a framework for bu... 🟢 CVE-2025-25985: An issue in Macro-video Techno... 🟡 CVE-2025-25984: An issue in Macro-video Techno... 🟢 CVE-2025-25983: An issue in Macro-video Techno... 🟡 CVE-2025-28355: Volmarg Personal Management Sy... ⚠️ CVE-2025-24914: When installing Nessus to a no... 🟡 CVE-2025-29513: Cross-Site Scripting (XSS) vul... 🟡 CVE-2025-29512: Cross-Site Scripting (XSS) vul... 🟡 CVE-2025-1697: A potential security vulnerabi... 🟡 CVE-2024-41447: A stored cross-site scripting ... 🟡 CVE-2025-32796: Dify is an open-source LLM app... 🟡 CVE-2025-32795: Dify is an open-source LLM app... ⚠️ CVE-2025-32792: SES safely executes third-part... ⚠️ CVE-2025-32442: Fastify is a fast and low over... 🔥 CVE-2025-32434: PyTorch is a Python package th... ⚠️ CVE-2025-32389: NamelessMC is a free, easy to ... 🟡 CVE-2025-31120: NamelessMC is a free, easy to ... ⚠️ CVE-2025-31118: NamelessMC is a free, easy to ... ⚠️ CVE-2025-30357: NamelessMC is a free, easy to ... ⚠️ CVE-2025-30158: NamelessMC is a free, easy to ... ⚠️ CVE-2025-29784: NamelessMC is a free, easy to ... 🟡 CVE-2025-27599: Element X Android is a Matrix ... 🟡 CVE-2025-3792: A vulnerability, which was cla... 🟡 CVE-2025-3791: A vulnerability classified as ... 🟡 CVE-2025-2950: IBM i 7.3, 7.4, 7.5, and 7.5 i... ⚠️ CVE-2025-29625: A buffer overflow vulnerabilit... 🟡 CVE-2025-3790: A vulnerability classified as ... 🟡 CVE-2025-3789: A vulnerability was found in b... 🟡 CVE-2025-32790: Dify is an open-source LLM app... 🟡 CVE-2024-46089: 74cms <=3.33 is vulnerable to ... 🟡 CVE-2024-49808: IBM Sterling Connect:Direct We... 🟡 CVE-2024-45651: IBM Sterling Connect:Direct We... 🟡 CVE-2025-3788: A vulnerability was found in b... 🟡 CVE-2025-3787: A vulnerability was found in P... 🟡 CVE-2025-3106: The LA-Studio Element Kit for ... ⚠️ CVE-2025-3786: A vulnerability was found in T... ⚠️ CVE-2025-3785: A vulnerability has been found... 🟡 CVE-2025-3056: The Download Manager plugin fo... 🔥 CVE-2025-2492: An improper authentication con... 🟡 CVE-2025-3783: A vulnerability classified as ... 🟡 CVE-2025-3598: The Coupon Affiliates – Affili... 🟡 CVE-2025-2162: The MapPress Maps for WordPres... 🔥 CVE-2025-1863: Insecure default settings have... 🔥 CVE-2025-39471: Improper Neutralization of Spe... ⚠️ CVE-2025-39470: Path Traversal: '.../...//' vu... ⚠️ CVE-2025-39469: Improper Neutralization of Inp... 🔥 CVE-2025-42599: Active! mail 6 BuildInfo: 6.60... ⚠️ CVE-2025-3520: The Avatar plugin for WordPres... 🟡 CVE-2025-2613: The Login Manager – Design Log... 🟡 CVE-2024-13650: The Piotnet Addons For Element... ⚠️ CVE-2025-25427: A Stored cross-site scripting ... ⚠️ CVE-2025-3509: A Remote Code Execution (RCE) ... ⚠️ CVE-2025-3246: An improper neutralization of ... 🟡 CVE-2025-3124: A missing authorization vulner... 🟢 CVE-2024-42178: HCL MyXalytics is affected by ... 🟡 CVE-2025-3765: A vulnerability, which was cla... 🟡 CVE-2025-3764: A vulnerability classified as ... 🟢 CVE-2024-42177: HCL MyXalytics is affected by ... 🟡 CVE-2025-3763: A vulnerability classified as ... 🟡 CVE-2025-3762: A vulnerability was found in P... 🟡 CVE-2025-29722: A CSRF vulnerability in Commer... 🟡 CVE-2025-28101: An arbitrary file deletion vul... 🔥 CVE-2025-28009: A SQL Injection vulnerability ... 🟢 CVE-2025-26269: DragonflyDB Dragonfly through ... 🟢 CVE-2025-26268: DragonflyDB Dragonfly before 1... ⚠️ CVE-2024-55211: An issue in Think Router Tk-Rt... 🟢 CVE-2021-47671: In the Linux kernel, the follo... ⚠️ CVE-2021-47670: In the Linux kernel, the follo... ⚠️ CVE-2021-47669: In the Linux kernel, the follo... ⚠️ CVE-2021-47668: In the Linux kernel, the follo... 🟢 CVE-2025-32415: In libxml2 before 2.13.8 and 2... ⚠️ CVE-2025-2947: IBM i 7.6  contains a privile... ⚠️ CVE-2025-29661: Litepubl CMS <= 7.0.9 is vulne... ⚠️ CVE-2025-29181: FOXCMS <= V1.25 is vulnerable ... ⚠️ CVE-2025-29180: In FOXCMS <=1.25, the installd... ⚠️ CVE-2025-29039: An issue in dlink DIR 832x 240... ⚠️ CVE-2025-43015: In JetBrains RubyMine before 2... 🟡 CVE-2025-43014: In JetBrains Toolbox App befor... 🟡 CVE-2025-43013: In JetBrains Toolbox App befor...
FICORA and CAPSAICIN Botnets Exploit Legacy D-Link Router Vulnerabilities

By Cybersecurity Team on

FICORA and CAPSAICIN Botnets Exploit Legacy D-Link Router Vulnerabilities

In late 2024, cybersecurity researchers observed a significant increase in activity from two botnets: the Mirai variant "FICORA" and the Kaiten variant "CAPSAICIN." Both botnets exploit known vulnerabilities in D-Link devices, particularly through the Home Network Administration Protocol (HNAP) interface, enabling remote command execution. The specific vulnerabilities targeted include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.

FICORA Botnet

The "FICORA" botnet has been active across multiple countries, indicating a broad, non-targeted attack strategy. It employs a downloader script named "multi" to fetch malware compatible with various Linux architectures, including ARM, MIPS, PowerPC, and SPARC. The malware's configuration, encompassing its command-and-control (C2) server domain and a unique identifier, is encrypted using the ChaCha20 algorithm. Additionally, "FICORA" integrates brute-force attack functionality with hard-coded username and password lists, enabling it to compromise other devices. Its capabilities include launching distributed denial-of-service (DDoS) attacks utilizing UDP, TCP, and DNS protocols.

CAPSAICIN Botnet

In contrast, the "CAPSAICIN" botnet exhibited a brief but intense period of activity on October 21–22, 2024, primarily focusing on East Asian nations. It utilizes a downloader script ("bins.sh") to retrieve binaries targeting multiple Linux architectures. Once active, "CAPSAICIN" establishes a connection with its C2 server, transmitting the victim host's operating system information and awaiting further commands. Notably, it terminates processes associated with other known botnets to ensure it maintains exclusive control over the compromised device. Its functionalities include executing shell commands, downloading files, and performing various types of DDoS attacks.

Implications and Recommendations

The resurgence of these botnets underscores the persistent threat posed by outdated or unpatched IoT devices. Despite the availability of patches, the continued prevalence of these attacks highlights a broader issue of neglected firmware updates and device maintenance. To mitigate such risks, it is crucial for organizations and individuals to:

  • Regularly update device firmware to address known vulnerabilities.
  • Replace end-of-life devices that no longer receive security updates.
  • Implement strong, unique passwords and disable unnecessary remote access features.
  • Employ comprehensive network monitoring to detect and respond to unusual activities promptly.

Conclusion

The activities of the "FICORA" and "CAPSAICIN" botnets highlight the critical importance of maintaining up-to-date security measures for network devices. Proactive management of device firmware and configurations is essential to defend against the exploitation of known vulnerabilities by malicious actors.

Back to Posts