C0XMO, a newly documented Gafgyt botnet variant, is abusing a DD-WRT router UPnP buffer overflow to spread across exposed or poorly segmented devices, according to FortiGuard Labs research surfaced in fresh security coverage on June 7.[1] The issue matters because the malware is not limited to one router model: researchers found payloads for multiple CPU families, including ARM, MIPS, PowerPC, SuperH, x86, and x86_64, which makes older routers, DVRs, and Linux-based IoT devices a useful pool for DDoS operators.[1]
Fortinet ties the initial delivery to CVE-2021-27137, a DD-WRT UPnP stack buffer overflow. The older SSD disclosure described the bug as an unauthenticated overflow in user-supplied UPnP data and listed DD-WRT change set 45723 or earlier as affected; it also noted that UPnP is disabled by default and normally listens on internal interfaces, which is an important scoping detail for defenders.[2] In practice, that means the riskiest devices are those running old firmware, exposing management or UPnP paths beyond the intended LAN, or sitting on flat networks where a compromised host can reach the router.
What admins should check now
C0XMO still has the familiar botnet goal: launch distributed denial-of-service traffic. The difference is the implementation. Public reporting says the malware supports 19 DDoS methods and uses a modular scanner that installs Python packages, scans common ports such as SSH, Telnet, HTTP/S, TR-069-style ports, and Android Debug Bridge paths, then attempts weak credential access and CPU-appropriate payload deployment.[1]
Once on a device, the malware tries to stay resident by copying itself into hidden paths such as /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys, adding cron persistence, and modifying shell startup files. It also removes rival botnet clients and some tooling that could interfere with its control of the host, then communicates with command-and-control over a custom channel.[1] That cleanup behavior is why a router that suddenly becomes quieter after previous noisy infections is not automatically healthy.
Owners of DD-WRT routers should first confirm the firmware build and upgrade beyond the vulnerable 2021-era change set where possible. If UPnP is not required, disable it; if it is required for a specific console or application, keep it limited to the trusted LAN and review unexpected port mappings. Security teams should also look for unusual outbound connections from routers or IoT segments, new cron entries, unexpected files under temporary memory-backed paths, and failed or successful Telnet/SSH login bursts.
The story fits a familiar pattern on howtofix.guide: router botnets keep recycling old flaws because small edge devices are rarely audited after installation. The older Dark Mirai TP-Link router campaign showed how RCE bugs become botnet fuel, while Mozi attacks against Netgear, D-Link, and Huawei routers illustrated how home and small-office gear can be pulled into broader IoT traffic. For malware-family background, HowToFix also tracks Gafgyt detections on Linux devices.
For home users, the practical response is simple but not optional: update DD-WRT, turn off unnecessary UPnP and remote administration, replace default or reused admin passwords, and reboot only after collecting useful evidence if the device is managed by an IT team. If a router cannot receive current firmware, replacement is a security fix, not just a hardware upgrade.
References
- FortiGuard Labs, Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO; BleepingComputer, C0XMO botnet spreads via DD-WRT router flaw, kills rival malware, June 7, 2026.
- SSD Secure Disclosure, SSD Advisory – DD-WRT UPNP Buffer Overflow, March 24, 2021.
Leave a Comment