
CVE-2017-17215, CVE-2025-29635, CVE-2024-1781, CVE-2018-8007: Multi-Vendor Router Flaws Enable Botnet DDoS (June 2026)
CVE-2017-17215, CVE-2025-29635, CVE-2024-1781, CVE-2018-8007 — Multi-Vendor Routers and Servers
The RustDuck botnet is actively exploiting CVE-2017-17215, CVE-2025-29635, CVE-2024-1781, and CVE-2018-8007 (all high severity) to compromise home routers, IP cameras, Android boxes, and poorly secured servers. These vulnerabilities allow remote attackers to gain unauthorized access, deploy malware, and conscript devices into a DDoS botnet. RustDuck’s use of modern encryption and evasion techniques complicates detection and takedown. All four CVEs are under active exploitation in the wild.
Attack Vector
Attackers scan for devices with exposed management interfaces or outdated firmware, targeting weak/default credentials and unpatched vulnerabilities. Once access is gained, the RustDuck malware is deployed in a two-stage process, establishing persistence and command-and-control via domains such as duckdns.org and IP 176.65.139.204. The botnet then leverages infected devices to launch DDoS attacks, flooding targets with junk traffic. RustDuck’s codebase, rewritten in Rust, incorporates anti-analysis and encryption to evade network monitoring and forensic tools. Indicators of compromise include outbound connections to known C2 infrastructure and anomalous traffic spikes.
Who Is at Risk
Devices from multiple vendors running unpatched firmware or default credentials are at risk, including home routers, IP cameras, Android TV boxes, and Linux servers exposed to the internet. Organizations with unmanaged IoT devices, remote offices, or legacy infrastructure are especially vulnerable. No specific organizations are named, but the campaign is global in scope.
Patch & Mitigate
- Patch: Apply the latest firmware and security updates for all affected devices immediately. Prioritize patching for CVE-2017-17215, CVE-2025-29635, CVE-2024-1781, and CVE-2018-8007.
- Workaround: Change all default passwords, disable remote management, and restrict device access to trusted networks only.
- Detect: Monitor for outbound connections to 176.65.139.204, duckdns.org, and other IOCs listed by QiAnXin XLab. Watch for unusual traffic patterns or spikes in outbound bandwidth.
MITRE ATT&CK
- TA0001 — Initial Access: Exploitation of public-facing applications and weak credentials to gain entry.
- TA0005 — Defense Evasion: RustDuck uses encryption and anti-analysis to avoid detection.
- TA0011 — Command and Control: Infected devices communicate with attacker infrastructure for remote control and DDoS coordination.
Source: https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

