Multiple botnets are exploiting an Edimax IP camera vulnerability whose existence was disclosed this week by the cybersecurity agency CISA, SecurityWeek has learned.
CISA published an advisory on March 4 to inform users of Edimax IC-7100 IP cameras that the devices are affected by CVE-2025-1316, a critical command injection issue caused by failure to properly neutralize requests. An attacker can achieve remote command execution through specially crafted requests.
Edimax is a networking solutions provider based in Taiwan. According to CISA’s advisory, the products affected by the zero-day are used in the commercial facilities sector around the world.
CISA suggested that the vulnerability has likely not been patched by Edimax, and urged users to reach out to the vendor. IC-7100 network cameras are listed as ‘legacy products’ by the vendor, which means they have likely reached end of life and end of support.
The agency’s advisory does not specifically say that the vulnerability has been exploited in the wild, but it does note that “organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents”.
CISA said the vulnerability was discovered by CDN, cloud and cybersecurity solutions provider Akamai, which confirmed to SecurityWeek that it has seen CVE-2025-1316 being exploited in the wild since the fall of 2024. The company identified the vulnerability while monitoring botnet activity.
Akamai researcher Kyle Lefton said the vulnerability has been exploited by multiple Mirai-based botnets. The Edimax camera flaw is one of the many vulnerabilities exploited by these botnets to ensnare devices — CVE-2025-1316 is one of the latest to be added to these botnets’ arsenal.
Lefton clarified that exploitation of CVE-2025-1316 requires authentication, but attackers are leveraging the fact that many internet-exposed cameras can be accessed with known default credentials.
Once they have gained access to a device, the attackers run a remote command execution exploit and execute a shell script that downloads a Mirai malware payload from a remote server, Lefton explained.
SecurityWeek reached out to Edimax for comment before this article was published, but the company has not responded.
The vendor, first notified in October 2024, has been unresponsive to CISA and Akamai’s attempts to coordinate disclosure of the vulnerability, but it did tell Akamai last year that it does not patch vulnerabilities in products that have reached end of life.
On the other hand, Akamai believes the vendor should take the vulnerability more seriously as it could impact even supported products.
Despite its advisory suggesting that CVE-2025-1316 has been exploited, CISA has yet to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Akamai will release a blog post describing these attacks in the coming days.
Related: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes
Related: BadBox Botnet Powered by 1 Million Android Devices Disrupted
Related: New Eleven11bot DDoS Botnet Powered by 80,000 Hacked Devices
