New Mirai Botnet Variant Hijacks TBK DVRs via CVE-2024-3721

Emily Davis · 2026-04-18

Threat actors are actively exploiting security flaws in TBK DVR devices and end-of-life (EoL) TP-Link Wi-Fi routers to spread new variants of the Mirai botnet. According to recent findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, these attacks are turning vulnerable hardware into weapons for massive DDoS campaigns. If you're running older network equipment or DVRs, this is a wake-up call. The attacks specifically target CVE-2024-3721, a medium-severity command injection vulnerability with a CVSS score of 6.3. That might not sound critical on paper, but in practice, it's more than enough to give attackers full control over your devices. ### What's Happening with TBK DVRs? The attack chain starts with the TBK DVR. Hackers exploit CVE-2024-3721 to inject malicious commands directly into the device's operating system. Once they're in, they deploy a Mirai variant called Nexcorium. This malware turns the DVR into a botnet zombie, ready to launch DDoS attacks at the attacker's command. Here's what makes this particularly dangerous: - TBK DVRs are widely used in surveillance systems, often in businesses and homes. - Many of these devices are never updated after installation. - The vulnerability is relatively easy to exploit, even for low-skilled attackers. ### The Role of EoL TP-Link Routers But it's not just DVRs. The same threat actors are also targeting end-of-life TP-Link Wi-Fi routers. These routers no longer receive security patches, so any known flaw remains open indefinitely. By compromising these routers, attackers expand their botnet's reach, creating a larger and more resilient network of infected devices. If you're still using a TP-Link router that's past its support date, you're essentially leaving your front door unlocked. The attackers don't need to break in; they just walk right in. ### How the Nexcorium Botnet Operates Once a device is infected, Nexcorium connects to a command-and-control (C2) server. The botnet can then: - Launch distributed denial-of-service (DDoS) attacks against targets. - Download and execute additional payloads. - Spread to other vulnerable devices on the same network. This isn't just about one device being hijacked. It's about an entire network becoming part of a weaponized botnet. The attackers can use these devices to take down websites, disrupt services, or even extort money from victims. ### What You Can Do to Protect Yourself Protecting your devices doesn't have to be complicated. Here are a few practical steps: - Update firmware regularly. Check for updates on your DVR and router at least once a month. - Replace end-of-life hardware. If your router is no longer supported, buy a new one. It's worth the $50 to $150 investment. - Change default passwords. Many TBK DVRs ship with weak default credentials. Change them immediately. - Segment your network. Keep DVRs and IoT devices on a separate VLAN from your main computers. ### Why This Matters for Businesses For businesses, the stakes are even higher. A compromised DVR or router can expose sensitive footage, disrupt operations, or lead to costly downtime. And if your devices are used in a DDoS attack, your IP address could end up on blacklists, affecting your email deliverability and online reputation. The good news is that these attacks are preventable with basic cybersecurity hygiene. Don't assume that because a device is "just a DVR" or "just a router," it's not a target. Attackers don't discriminate; they just look for the easiest way in. ### Final Thoughts The Nexcorium variant is just the latest example of how old vulnerabilities continue to haunt us. CVE-2024-3721 might be a medium-severity flaw, but when combined with neglected hardware, it becomes a high-severity problem. Stay vigilant, patch what you can, and replace what you can't. Your devices are only as secure as your last update.