Back

C0XMO Gafgyt Variant Exploits DD-WRT Routers via CVE-2021-27137

Severity: High (Score: 72.5)

Sources: Socprime, Gbhackers

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: c0xmo, gafgyt, variant, dd-wrt, routers, botnet, tracked

Severity indicators: ot, botnet

Summary

A new Gafgyt botnet variant named C0XMO has emerged, targeting DD-WRT routers by exploiting CVE-2021-27137, a buffer overflow vulnerability in the UPnP service. This malware employs a Python-based scanner to propagate across various CPU architectures, utilizing weak credentials and DDoS capabilities. Once infected, it establishes persistence through hidden files, cron jobs, and shell profile modifications. The botnet communicates with its command-and-control server at 85.215.131.70. Organizations are advised to upgrade their DD-WRT firmware and disable unnecessary remote services. Indicators of compromise (IOCs) and defensive measures are provided for affected systems. The malware's ability to spread across different Linux devices highlights a significant shift in IoT malware tactics. Key Points: • C0XMO exploits CVE-2021-27137 in DD-WRT routers to spread. • The malware uses a Python scanner for multi-architecture propagation. • Organizations should upgrade firmware and disable UPnP, Telnet, and SSH.

Detailed Analysis

**Impact** The C0XMO Gafgyt variant targets DD-WRT routers running vulnerable firmware, affecting IoT devices across multiple CPU architectures. The botnet’s propagation capabilities and DDoS functions pose risks to network availability and operational continuity, particularly for organizations with exposed edge devices. No specific geographic or sectoral impact data is provided in the sources. **Technical Details** The attack exploits CVE-2021-27137, a stack buffer overflow in the UPnP SSDP parser of DD-WRT firmware, to gain initial access. C0XMO uses a Python-based scanner delivered from 217.160.125.125:15527 to perform Telnet and SSH brute-force attacks and deploy architecture-specific binaries. Persistence is achieved via hidden files in /tmp, /var/tmp, /dev/shm, cron jobs, and shell profile modifications. The malware communicates with C2 infrastructure at 85.215.131.70 using a custom handshake over TCP. Indicators include IPs 217.160.125.125 and 85.215.131.70, hidden files named .sys, and cron jobs executing every 15 minutes. **Recommended Response** Apply DD-WRT firmware updates newer than changeset 45723 and patch all related CVEs immediately. Disable unnecessary remote services such as UPnP, Telnet, and SSH on internet-facing devices and enforce strong, unique credentials. Deploy network-based detections for the identified IP addresses, ports, and command patterns, and monitor for outbound connections to the C2 server and scanner download port. Block malicious IPs and isolate compromised devices for forensic analysis and remediation.

Source articles (2)

  • New Gafgyt Variant Targets Linux Systems With Modular Spread Tactics — Gbhackers · 2026-06-05
    A new Gafgyt-family botnet, tracked as C0XMO, marks a notable technical shift in IoT malware design: the separation of scanning and propagation into distinct components and multi-architecture payloads…
  • C0XMO Gafgyt Variant Spreads Through DD-WRT Routers — Socprime · 2026-06-05
    FortiGuard Labs identified a new Gafgyt botnet strain named C0XMO that propagates by exploiting a buffer overflow flaw in DD-WRT routers tracked as CVE-2021-27137 . The malware uses a separate Python-…

Timeline

  • 2021-09-01 — CVE-2021-27137 published: A buffer overflow vulnerability in the UPnP service of DD-WRT firmware was disclosed.
  • 2026-06-05 — C0XMO Gafgyt variant identified: FortiGuard Labs reported the emergence of the C0XMO variant exploiting CVE-2021-27137.
  • 2026-06-05 — Propagation methods detailed: C0XMO uses a Python scanner and weak credential attacks to spread across Linux devices.

CVEs

  • CVE-2021-27137

Related entities

  • Botnet (Attack Type)
  • Brute Force (Attack Type)
  • DDoS (Attack Type)
  • Malware (Attack Type)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • 85.215.131.70 (Ipv4)
  • C0xmo (Malware)
  • Gafgyt (Malware)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1110 - Brute Force (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1546.007 - Netsh Helper DLL (Mitre Attack)
  • Dd-wrt (Platform)
  • Linux (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed