C0XMO Botnet Shows Why Old Router Firmware Still Matters

Router malware rarely needs a brand-new zero-day when old firmware is still online, weak credentials are still common, and remote-access services are still reachable.

That is the practical warning behind C0XMO, a newly detailed variant of the Gafgyt botnet family. FortiGuard Labs says it found the malware in March and observed it spreading through vulnerable DD-WRT router firmware by exploiting a UPnP buffer-overflow flaw tracked by Fortinet as CVE-2021-27137. Fortinet’s analysis says affected DD-WRT builds are changesets before 45723 and describes the impact as remote attackers gaining control of vulnerable systems.

The flaw itself is not new. SSD Secure Disclosure published the original DD-WRT UPnP advisory in March 2021, saying DD-WRT with changeset 45723 or earlier was affected and that the vendor fix could be reviewed in changeset 45724. SSD’s advisory explains that the bug involves user-supplied UPnP data being copied into a fixed-size internal buffer and notes that DD-WRT’s UPnP service is disabled by default and normally listens only on internal interfaces.

A botnet built for many device types

C0XMO matters because it wraps that old router bug into a broader, modular infection pipeline. Fortinet says the campaign used malware samples compiled for multiple Linux architectures, including ARM, MIPS, PowerPC, SuperH, x86, and x86_64. The same report says C0XMO separates lateral movement into a standalone Python scanner, a design choice that helps the operators target more architectures and device types efficiently.

That scanner is not limited to one router model. Fortinet says the malware installs Python packages such as requests, Paramiko, and BeautifulSoup, then scans common SSH, Telnet, HTTP, HTTPS, TR-069, Android Debug Bridge, and alternate web ports. Fortinet’s technical breakdown says the scanner can brute-force weak Telnet and SSH credentials, detect CPU architecture, and deploy a compatible C0XMO binary.

It also cleans house

Once C0XMO lands, it tries to stay there. Fortinet says the bot copies itself into hidden locations such as /tmp/.sys, /var/tmp/.sys, and /dev/shm/.sys, creates cron jobs to relaunch every 15 minutes, and modifies shell startup files for automatic execution. The researchers also found competitor-killing behavior: C0XMO scans running processes, terminates rival botnet clients or tools that may interfere with it, deletes matching binaries, and removes persistence entries such as cron jobs, init scripts, system services, and shell profile entries.

The final business model is familiar: denial-of-service capacity. Fortinet says C0XMO’s command handler supports heartbeat checks, scanning commands, and 19 DDoS methods, including UDP, TCP, SYN, ICMP, NTP amplification, Memcached amplification, HTTP floods, and game-service-specific floods. Fortinet’s command-handler section lists those commands and attack methods. BleepingComputer also highlighted the report, noting that the botnet is aimed at DD-WRT firmware while retaining the ability to move across other device types. The BleepingComputer story was the original shortlist discovery item for this SXZ report.

What owners should do now

The defensive lesson is straightforward: do not treat home-office routers and small-business network gear as set-and-forget appliances. Fortinet recommends updating affected network devices and IoT systems to current firmware, disabling unnecessary Telnet, UPnP, and other remote-access services, enforcing strong credentials, and monitoring for suspicious outbound scans or exploitation attempts. Fortinet lists those mitigations in its conclusion. SSD’s earlier advisory adds an important nuance: because DD-WRT’s UPnP service is normally disabled by default and normally listens only on internal interfaces, owners should confirm whether it is enabled at all and whether it is reachable beyond the local network. SSD’s advisory documents the default UPnP behavior and the affected DD-WRT change set.

For many organizations, the cheapest fix is still the least glamorous one: inventory the router, update the firmware, turn off services that are not needed, and change any default or reused administrative passwords. C0XMO is another reminder that attackers keep finding value in forgotten edge devices long after the original vulnerability headlines have faded.