This talk presents an inside look of a national CERT team during a widespread IoT worm outbreak leveraging a zero-day vulnerability in DSL modems. On 25th of November 2016 the Mirai botnet started exploiting a zero-day vulnerability in TR-064 implementation on certain CPE-devices. The infection levels of Mirai in Finland went from hundreds to tens of thousands in a matter of days.