A recently disclosed zero-day affecting Edimax devices has been exploited in the wild since at least May 2024, according to CDN and cybersecurity solutions provider Akamai.
The vulnerability, identified as CVE-2025-1316, has been confirmed to impact Edimax IC-7100 IP cameras, but Akamai believes other Edimax IoT products may be impacted as well.
Its existence came to light on March 4, when CISA published an advisory suggesting active exploitation. Akamai confirmed for SecurityWeek a few days later that CVE-2025-1316 has indeed been exploited in the wild, by multiple Mirai-based botnets.
The company, which has now released additional information on its findings, said it reported the vulnerability to Edimax in October 2024, but the vendor failed to take action.
Only after the flaw’s in-the-wild exploitation was reported by SecurityWeek, Edimax, a Taiwan-based networking solutions provider, issued a statement saying that the vulnerability impacts devices discontinued more than a decade ago and it cannot be patched “due to the unavailability of the development environment and source code”.
Akamai’s analysis showed that its honeypots logged the first signs of exploitation in May 2024. These exploitation attempts stopped for a few months, but spiked again in September 2024, as well as in January and February 2025.
However, exploitation may have started even sooner considering that — as the security firm reported — a PoC exploit for CVE-2025-1316 has been available since June 2023.
Akamai’s honeypots have logged exploitation attempts from two Mirai-based botnets. Once they successfully access a device and exploit the vulnerability, the attackers execute commands to download and execute the main Mirai payload.
Exploitation of CVE-2025-1316 requires authentication, but Akamai noticed that threat actors have been completing this requirement by accessing targeted devices with known default credentials.
Akamai pointed out that one of these botnets has also exploited CVE-2024-7214, an unpatched Totolink device vulnerability that came to light in the summer of 2024. There do not appear to be any previous reports confirming exploitation of this vulnerability, but Totolink product flaws are known to have been targeted by Mirai-based botnets.
“One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices,” Akamai said.
The company has made available indicators of compromise (IoC), as well as Yara and Snort rules.
Related: BadBox Botnet Powered by 1 Million Android Devices Disrupted
Related: Vo1d Botnet Evolves as It Ensnares 1.6 Million Android TV Boxes
Related: New Eleven11bot DDoS Botnet Powered by 80,000 Hacked Devices
