n8n and Tenda: Tenda Routers Hit By Zerobot Malware Exploiting Command Injection Flaw

Zerobot Botnet Exploits Tenda and n8n Vulnerabilities in Ongoing Campaign

Akamai’s Security Incident Response Team (SIRT) has uncovered an active botnet campaign, Zerobot, leveraging recently disclosed vulnerabilities in Tenda AC1206 routers and the n8n workflow automation platform. First detected in mid-January 2026, the malware linked to the Mirai botnet family targets two critical flaws: CVE-2025-7544 and CVE-2025-68613.

Exploited Vulnerabilities

1. CVE-2025-7544 (Tenda AC1206 – CVSS 8.8)

   • A remote stack-based buffer overflow in the /goform/setMacFilterCfg endpoint, caused by improper input handling in the deviceList parameter.
   • Allows unauthenticated attackers to execute arbitrary code, enabling denial-of-service (DoS) attacks or full device compromise.
   • A proof-of-concept (PoC) exploit was publicly released, simplifying attacks via crafted requests.

2. CVE-2025-68613 (n8n – CVSS 9.9)

   • A remote code execution (RCE) flaw in n8n’s workflow automation platform, stemming from insecure expression evaluations.
   • Unauthenticated attackers can execute arbitrary code, access environment variables, API keys, and configuration files, and move laterally within networks.
   • Affects versions 0.211.0 to 1.120.3, 1.121.0, and early 1.122.x.

Attack Chain & Impact

Zerobot exploits these vulnerabilities to deploy Mirai-based payloads. In observed attacks, threat actors:

• Triggered a buffer overflow on vulnerable Tenda routers to execute a malicious shell script, tol.sh.
• Downloaded the primary Zerobot payload, which employs evasion tactics including hosting on Vercel domains and obfuscating scripts.
• Established command-and-control (C2) communication to deploy a multi-stage infostealer, targeting browser credentials, SSH keys, and Git repositories.

Akamai’s global honeypot network detected active exploitation, with compromised systems used to propagate further attacks. The campaign underscores the growing sophistication of botnets in weaponizing recently disclosed CVEs, particularly in IoT devices and critical infrastructure tools like n8n. Organizations using affected Tenda or n8n versions remain at risk until patches are applied.

Source: https://cyberpress.org/zerobot-exploits-tenda-vulnerability/

Tenda North America cybersecurity rating report: https://www.rankiteo.com/company/tenda-north-america

n8n cybersecurity rating report: https://www.rankiteo.com/company/n8n

"id": "TENN8N1772649116",
"linkid": "tenda-north-america, n8n",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Networking/Telecommunications',
                        'name': 'Tenda',
                        'type': 'Hardware Manufacturer'},
                       {'industry': 'Workflow Automation',
                        'name': 'n8n',
                        'type': 'Software Provider'}],
 'attack_vector': ['Remote Code Execution (RCE)', 'Buffer Overflow'],
 'data_breach': {'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Browser credentials',
                                              'SSH keys',
                                              'Git repositories']},
 'date_detected': '2026-01-15',
 'description': 'Akamai’s Security Incident Response Team (SIRT) has uncovered '
                'an active botnet campaign, Zerobot, leveraging recently '
                'disclosed vulnerabilities in Tenda AC1206 routers and the n8n '
                'workflow automation platform. The malware, linked to the '
                'Mirai botnet family, targets two critical flaws: '
                'CVE-2025-7544 and CVE-2025-68613. Zerobot exploits these '
                'vulnerabilities to deploy Mirai-based payloads, triggering '
                'buffer overflows, executing malicious scripts, and '
                'establishing command-and-control (C2) communication to deploy '
                'a multi-stage infostealer targeting browser credentials, SSH '
                'keys, and Git repositories.',
 'impact': {'data_compromised': ['Browser credentials',
                                 'SSH keys',
                                 'Git repositories'],
            'identity_theft_risk': 'High',
            'operational_impact': 'Denial-of-Service (DoS), Unauthorized '
                                  'Access, Lateral Movement',
            'systems_affected': ['Tenda AC1206 routers',
                                 'n8n workflow automation platform']},
 'initial_access_broker': {'backdoors_established': 'Yes',
                           'entry_point': ['Tenda AC1206 routers',
                                           'n8n workflow automation platform']},
 'investigation_status': 'Ongoing',
 'motivation': 'Data Theft, Botnet Propagation, Lateral Movement',
 'post_incident_analysis': {'corrective_actions': ['Patch management',
                                                   'Enhanced monitoring for '
                                                   'IoT and automation tools'],
                            'root_causes': ['Unpatched vulnerabilities '
                                            '(CVE-2025-7544, CVE-2025-68613)',
                                            'Publicly available PoC exploits']},
 'recommendations': 'Apply patches for CVE-2025-7544 and CVE-2025-68613 '
                    'immediately. Monitor for unusual network traffic and '
                    'unauthorized access attempts. Implement multi-factor '
                    'authentication (MFA) for critical systems.',
 'references': [{'source': 'Akamai SIRT'}],
 'response': {'third_party_assistance': 'Akamai SIRT'},
 'threat_actor': 'Zerobot (Mirai-based)',
 'title': 'Zerobot Botnet Exploits Tenda and n8n Vulnerabilities in Ongoing '
          'Campaign',
 'type': 'Botnet Campaign',
 'vulnerability_exploited': ['CVE-2025-7544', 'CVE-2025-68613']}