Security researchers at Fortinet have discovered a new botnet called C0XMO that is actively infecting routers running DD-WRT firmware — a popular third-party system that many people install on their home or small office routers to unlock extra features. Once a router is infected, it becomes part of a network of hijacked devices that criminals use to flood websites and online services with traffic, knocking them offline.
C0XMO spreads by exploiting CVE-2021-27137, a known buffer overflow flaw in DD-WRT that lets anyone — without a username or password — send a specially crafted message to the router and take it over. The malware is unusually aggressive: it hunts for competing malware on the same device and deletes it, securing the router as its own. It supports dozens of attack methods including traffic floods and network amplification, and it works across a wide range of device types including DVRs and video management systems.
How to check if you’re affected
Affected devices include any router or other networked device running DD-WRT firmware with versions older than those that patched CVE-2021-27137. If you are running an older DD-WRT build and have not updated in the past year, your router may be at risk. To check your firmware version, log into your router’s admin panel (typically at 192.168.1.1), look for a Firmware or System Information section, and compare your version number to the latest DD-WRT release.
Steps to protect yourself:
- Update DD-WRT to the latest build available at dd-wrt.com.
- Change your admin password — use a strong, unique password, not the default.
- Disable remote access (WAN-side admin) if you don’t need to manage your router from outside your home network. This setting is usually found under Administration → Management → Remote Access.