A recently patched critical security vulnerability in the Wazuh Server is currently being exploited by malicious actors to deploy two distinct variants of the Mirai botnet, which are then used to conduct distributed denial-of-service (DDoS) attacks.
Akamai, the company that first identified the exploitation attempts in late March 2025, stated that the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), a vulnerability that allows for remote code execution on Wazuh servers due to unsafe deserialization.
The security flaw, which affects all versions of the server software including and above 4.4.0, was addressed in February 2025 with the release of version 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed around the same time the patches were released.
The vulnerability is rooted in the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. A malicious actor could exploit this vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely.
Akamai discovered attempts by two different botnets to exploit CVE-2025-24016 just weeks after the public disclosure of the flaw and the release of the PoC. The attacks were registered in early March and May 2025.
“This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs,” security researchers Kyle Lefton and Daniel Messing said in a report shared with The Hacker News.
In the first instance, a successful exploit enables the execution of a shell script that serves as a downloader for the Mirai botnet payload from an external server (“176.65.134[.]62”) for different architectures. It’s assessed that the malware samples are variants of LZRD Mirai, which has been around since 2023.
Notably, LZRD was also deployed recently in attacks exploiting GeoVision end-of-life (EoL) Internet of Things (IoT) devices. However, Akamai told The Hacker News that there is no evidence that these two activity clusters are the work of the same threat actor given that LZRD is used by multiple botnet operators.
Further infrastructure analysis of “176.65.134[.]62” and its associated domains has led to the discovery of other Mirai botnet versions, including LZRD variants named “neon” and “vision!,” and an updated version of V3G4.
Some of the other security flaws exploited by the botnet include flaws in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and a remote code execution bug in ZTE ZXV10 H108L routers.
The second botnet to abuse CVE-2025-24016 employs a similar strategy of using a malicious shell script to deliver another Mirai botnet variant referred to as Resbot (aka Resentual).
“One of the interesting things that we noticed about this botnet was the associated language. It was using a variety of domains to spread the malware that all had Italian nomenclature,” the researchers said. “The linguistic naming conventions could indicate a campaign to target devices owned and run by Italian-speaking users in particular.”
Besides attempting to spread via FTP over port 21 and conducting telnet scanning, the botnet has been found to leverage a wide range of exploits targeting Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).
“The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets,” the researchers said. “And botnet operators can often find success with simply leveraging newly published exploits.”
CVE-2025-24016 is far from the only vulnerability to be abused by Mirai botnet variants. In recent attacks, threat actors have also taken advantage of CVE-2024-3721, a medium-severity command injection vulnerability
Source Link
