Botnet Blitz: Zerobot Strikes Tenda Routers in Sophisticated Supply Chain Assault

When a small flaw in an everyday device can open the floodgates to a global cybercrime operation, it’s time to pay attention. In the latest chilling development, security researchers have uncovered a botnet campaign - dubbed Zerobot - that’s weaponizing newly discovered vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform. The result? Everyday devices are being hijacked into a sprawling criminal network, with attackers snatching sensitive data and laying the groundwork for further havoc.

Inside the Zerobot Campaign

Akamai’s global network of honeypots first noticed the Zerobot campaign in early 2026, observing coordinated attacks exploiting two newly disclosed vulnerabilities. The first, CVE-2025-7544, is a buffer overflow flaw in the Tenda AC1206 router’s web management interface. By manipulating input to the deviceList parameter, attackers can remotely execute arbitrary code - potentially knocking devices offline or hijacking them for further attacks. The second vulnerability, CVE-2025-68613, affects the n8n automation platform, a popular tool in IT and industrial operations. Here, insecure expression evaluation allows unauthenticated attackers to run malicious code, access sensitive configuration files, and even move laterally within an organization’s network.

What sets Zerobot apart is its speed and sophistication. Proof-of-concept exploits for these flaws were barely public before attackers pounced, deploying Mirai-inspired payloads that install a malicious shell script (tol.sh) and then fetch the main Zerobot malware. The infected device connects to a command-and-control server, receiving orders to download infostealers, harvest browser credentials, and siphon off SSH keys and code repositories - treasure troves for cybercriminals targeting developers and IT teams.

The attack chain shows a high degree of automation and obfuscation. Payloads are fetched from seemingly legitimate hosting services, and malicious scripts are disguised to evade detection. The fact that n8n is used in critical infrastructure magnifies the risk: a single exploited server could give attackers a foothold in sensitive environments, from manufacturing to energy grids.

Akamai researchers warn that this campaign is a wake-up call. The interconnectedness of IoT devices and automation platforms means vulnerabilities in disparate products can be chained for devastating effect. Organizations relying on Tenda routers or n8n must act quickly: patch systems, monitor for unusual traffic, and deploy network detection tools to spot and stop intrusions before they spiral out of control.

Conclusion

As cybercriminals move with increasing agility, the Zerobot campaign exposes the fragility of our everyday tech. In a world where routers and workflow tools double as criminal infrastructure, vigilance, timely patching, and layered defense are no longer optional - they’re the last line of defense against the next big botnet blitz.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Buffer Overflow: A buffer overflow is a software flaw where too much data is written to memory, potentially letting hackers exploit the system by running malicious code.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Lateral Movement: Lateral movement is when attackers, after breaching a network, move sideways to access more systems or sensitive data, expanding their control and reach.