New Zerobot malware exploits over 20 vulnerabilities in many routers, cameras, firewalls (December

Ref# AL2022_86 | Date: Dec 8th 2022


Recently discovered malware called Zerobot was spotted in November exploiting twenty-one (21) vulnerabilities in various Internet of Things (IoT) devices including Zyxel firewalls, D-Link routers and Hikvision cameras.  


Zerobot is Go-based malware that compromises devices and adds them to a botnet capable of Distributed Denial-of-Service (DDoS) attacks against specified targets. This malware is capable of self-replication, attacks on different protocols in a network, self-propagation and communicates with its command and control (C2) server using the WebSocket protocol.  

The Zerobot malware targets a wide range of system architectures such as i386, AMD64, ARM, MIPS, PPC64, RISC64, and S390x, to name a few. Its infiltration tactic is the use of exploits to gain initial access to devices. After it gains access to a device, the malware downloads a script called zero that enables propagation of the malware. The malware also establishes a WebSocket connection to its C2 server to send information about the compromised device. The C2 server communicates with the malware using the following commands:  

  • ping Heartbeat, use to maintain the connection 

  • attack Launches an attack for different protocols such as TCP, UDP, TLS, HTTP, ICMP 

  • stop Stops the attack 

  • update Installs update and restart Zerobot 

  • enable_scan Scans for open ports and start propagating itself via exploit or SSH/Telnet cracker 

  • disable_scan Disables scanning 

  • command Runs commands by using cmd on Windows or bash on Linux 

  • kill Kills the botnet program 

Zerobot also features an anti-kill module that prevents the termination of its process in the case of discovery. 

The different vulnerabilities that are exploited by this malware are as follows: 

  1. CVE-2014-08361 which affects the miniigd SOAP service in Realtek SDK 

  1. CVE-2017-17106 which affects the Zivif PR115-204-P-RS webcams 

  1. CVE-2017-17215 which affects Huawei HG523 routers 

  1. CVE-2018-12613 which affects phpMyAdmin 

  1. CVE-2020-10987 which affects Tenda AC15 AC1900 routers 

  1. CVE-2020-25506 which affects D-Link DNS-320 (Network Storage Enclosure) NAS 

  1. CVE-2021-35395 which affects Realtek Jungle SDK 

  1. CVE-2021-36260 which affects Hikvision cameras that use web server services 

  1. CVE-2021-46422 which affects Telesquare SDT-CW3B1 routers 

  1. CVE-2022-01388 which affects F5 BIG-IP products  

  1. CVE-2022-22965 which affects the Spring MVC or Spring WebFlux (Spring4Shell) application 

  1. CVE-2022-25075 which affects TOTOLink A3000RU routers 

  1. CVE-2022-26186 which affects TOTOLink N600R routers 

  1. CVE-2022-26210 which affects TOTOLink A830R routers 

  1. CVE-2022-30525 which affects Zyxel USG Flex 100(W) firewalls 

  1. CVE-2022-34538 which affects MEGApix IP cameras 

  1. CVE-2022-37061 which affects FLIX AX8 thermal sensor cameras 

Four more vulnerabilities are exploited that have not been assigned a CVE, one that targets the Gigabit Passive Optical Network (GPON) terminals and another targets D-Link routers. Information on the other two remains unknown. 

Indicators of Compromise 

For a list of file hashes associated with the Zerobot malware, follow the URL: 

The IP address of the C2 server used by Zerobot is 


If you are working with any of the devices mentioned above, it is highly recommended to patch the device(s) with the latest updates and actively apply patches as they become available in order to protect yourself from the Zerobot malware. It is also recommended to blacklist the malwares C2 server IP address. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: New Zerobot malware exploits over 20 vulnerabilities.pdf