Post

Mirai Botnets Exploit Wazuh RCE Flaw: Akamai Issues Warning

Posted
By Vitus White
3 min read
Mirai Botnets Exploit Wazuh RCE Flaw: Akamai Issues Warning

TL;DR

Multiple Mirai botnets are actively exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-24016) in Wazuh servers, as warned by Akamai researchers. This flaw allows attackers to execute arbitrary code on compromised servers, posing a significant threat to organizations relying on Wazuh for security monitoring.

Main Content

Mirai Botnets Exploit Critical RCE Flaw in Wazuh Servers

Akamai researchers have issued a warning regarding multiple Mirai botnets exploiting a critical remote code execution (RCE) vulnerability, CVE-2025-24016, affecting Wazuh servers. This vulnerability has a CVSS score of 9.9, indicating its severe nature.

Understanding Wazuh and the Vulnerability

Wazuh is an open-source security platform widely used for threat detection, intrusion detection, log data analysis, and compliance monitoring. Organizations deploy Wazuh to monitor endpoints and infrastructure for suspicious or malicious activities.

The advisory explains the vulnerability:

“Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using as_wazuh_object (in framework/wazuh/core/cluster/common.py). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (__unhandled_exc__) to evaluate arbitrary Python code.” 1

Version 4.9.1 contains the fix for this vulnerability. Researchers have also identified a Proof of Concept (PoC) code that demonstrates how this issue can be exploited for arbitrary code execution.

Active Exploitation by Mirai Botnets

Akamai’s Security Intelligence Response Team (SIRT) has observed active exploitation of the CVE-2025-24016 RCE flaw through DAPI request abuse. Two Mirai botnet variants, including one named “Resbot” with Italian domain names, have been exploiting this bug since March 2025. This marks the first known active abuse since the vulnerability was disclosed in February.

According to Akamai’s report:

“We observed two campaigns of Mirai variants exploiting this vulnerability. One of these, ‘Resbot,’ has Italian nomenclature involved in its domains, possibly alluding to the targeted geography or language spoken by the affected device owner.” 2

Detailed Exploitation Campaigns

In March 2025, attackers exploited CVE-2025-24016 in Wazuh servers using a shell script to deploy the first Mirai variant spotted by Akamai, primarily LZRD, across IoT devices. These samples, named “morte,” support multiple architectures and link to command and control (C2) domains like nuklearcnc.duckdns[.]org and galaxias[.]cc. Other samples, such as “neon” and “k03ldc,” showed ties to V3G4 and LZRD variants with unique console strings. The botnet also exploited other vulnerabilities, including those in Hadoop YARN, TP-Link AX21, and ZTE routers, using dynamic infrastructure to evade detection and spread rapidly.

In May 2025, a second botnet exploited the Wazuh endpoint using a shell script to deploy “resgod,” a Mirai variant with the string “Resentual got you!” Like the first variant, it targets multiple IoT architectures and uses domains with Italian names, suggesting a focus on Italian-speaking victims. The malware communicates with 104.168.101[.]27 via TCP port 62627 and spreads via FTP and telnet. It exploits several RCEs, including those in Huawei, Realtek, and ZyXEL routers, using unencrypted strings and broad scanning capabilities for rapid propagation.

Indicators of Compromise and Conclusion

Akamai has published indicators of compromise (IoC) to help detect these Mirai botnet variants. The report concludes:

“The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets. And botnet operators can often find success with simply leveraging newly published exploits.” 3

Recently, researchers from the Russian cybersecurity firm Kaspersky discovered a new variant of the Mirai botnet that exploits a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 digital video recording devices.

Follow me on Twitter: @securityaffairs, Facebook, and Mastodon.

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

For more details, visit the full article: source

Conclusion

The active exploitation of the CVE-2025-24016 vulnerability in Wazuh servers by Mirai botnets underscores the critical importance of timely patching and vigilant monitoring. Organizations must prioritize updating their security platforms to mitigate such threats and protect their infrastructure from potential breaches.

References

  1. NVD (2025). “CVE-2025-24016 Details”. National Vulnerability Database. Retrieved 2025-06-10. ↩︎

  2. Akamai (2025). “Botnets Flaw: Mirai Spreads Through Wazuh Vulnerability”. Akamai Blog. Retrieved 2025-06-10. ↩︎

  3. Akamai (2025). “Botnets Flaw: Mirai Spreads Through Wazuh Vulnerability”. Akamai Blog. Retrieved 2025-06-10. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
mirai botnet wazuh cybersecurity
This post is licensed under CC BY 4.0 by the author.