Likelihood: MODERATE
Impact: MODERATE
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: the C0XMO campaign is active and exploitation of authentication bypass is technically straightforward, but exposure requires internet-facing DD-WRT management interfaces or default credentials, limiting the affected population to organizations with specific misconfigurations rather than universal exposure; exploitation against any given organization is not confirmed. Impact is moderate rather than high because the primary business consequence is ISP-level service intervention, upstream null-routing, and reputational/liability risk from weaponized infrastructure rather than direct data loss or operational shutdown of core business systems.
Treatment rationale: The exposure is reducible through concrete, low-cost network hygiene actions — disabling internet-exposed management interfaces, rotating credentials, and patching firmware — making mitigation both feasible and proportionate before the threat escalates to service suspension or third-party liability.
Third-Party / Supply-Chain Risk
DD-WRT is open-source community firmware maintained outside a traditional vendor support model; organizations relying on it inherit the absence of a formal patch SLA or coordinated disclosure timeline. If DD-WRT devices are deployed by a managed service provider or network equipment vendor on behalf of the organization, that provider relationship constitutes a third-party dependency under NIST SP 800-161 supply-chain risk framing — the organization may have no direct visibility into whether those devices have been updated or whether management interfaces are exposed.
Loss Exposure (illustrative)
Magnitude: Low-to-moderate — illustrative $25K–$250K per event
Frequency: For an organization with confirmed internet-exposed DD-WRT management interfaces and default or weak credentials, illustrative probability of botnet compromise in an active campaign window is moderate (1-in-4 to 1-in-10 annually given targeted scanning activity); for organizations with hardened configurations, frequency drops to low.
Annualized: Illustrative ALE: low-exposure organization — $5K–$25K/year; high-exposure organization (multiple internet-facing devices, default credentials) — $25K–$100K/year, driven predominantly by incident response labor, ISP coordination, and potential service disruption costs rather than breach-class losses.
Basis: Loss magnitude derived from: incident response and forensic labor to identify and remediate compromised devices (days to weeks of staff or vendor time); potential ISP null-routing or emergency circuit costs during a DDoS participation event; reputational and customer-notification overhead if the organization's IP space is publicly listed as a DDoS source. No data exfiltration or ransomware vector is present in this item, which caps the magnitude below breach-class losses. Frequency derived from active campaign status (scanning is confirmed), tempered by the requirement for exploitable misconfiguration. No third-party actuarial data cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If compromised devices are used to conduct DDoS attacks against third parties, this may implicate cyber liability policy conditions around failure to maintain reasonable security controls — verify with broker.
• Upstream ISP acceptable-use policy violations resulting from botnet participation could trigger service suspension clauses in ISP contracts — verify with counsel.
• If the organization operates in a regulated sector and the compromised device sits on a network segment that touches regulated data or systems, incident-reporting obligations under sector-specific frameworks (e.g., HIPAA, GLBA, state data security laws) may be triggered depending on access scope — verify with counsel.
