Post

CISA Adds Critical Wazuh and WebDAV Flaws to Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in Wazuh and WebDAV to its Known Exploited Vulnerabilities catalog. These flaws, actively exploited by malicious actors, pose significant risks to cybersecurity infrastructure. Learn about the vulnerabilities, their impacts, and the recommended actions.

Posted
By Tom Grant
3 min read
CISA Adds Critical Wazuh and WebDAV Flaws to Exploited Vulnerabilities Catalog

TL;DR

  • CISA has added critical vulnerabilities in Wazuh and WebDAV to its Known Exploited Vulnerabilities catalog.
  • These flaws are actively exploited by Mirai botnets, posing significant risks to cybersecurity infrastructure.
  • Organizations are urged to review and address these vulnerabilities to protect their networks.

CISA Adds Critical Wazuh and WebDAV Flaws to Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities affecting ASUS RT-AX55 devices, Craft CMS, and ConnectWise ScreenConnect to its Known Exploited Vulnerabilities (KEV) catalog 1.

Vulnerabilities Overview

The identified vulnerabilities include:

  • CVE-2025-24016: A critical deserialization of untrusted data flaw in Wazuh Server, with a CVSS score of 9.9 2.
  • CVE-2025-33053: A Web Distributed Authoring and Versioning (WebDAV) vulnerability, with a CVSS score of 8.8 3.

Wazuh Vulnerability Details

Akamai researchers have warned that multiple Mirai botnets are exploiting the critical remote code execution vulnerability CVE-2025-24016 in Wazuh servers 4. Wazuh is an open-source security platform widely used for threat detection, intrusion detection, log data analysis, and compliance monitoring.

The vulnerability, present in versions 4.4.0 to 4.9.1, allows for remote code execution due to unsafe deserialization. Attackers can inject unsanitized data into DAPI requests, leading to arbitrary code execution 5.

Active Exploitation

Researchers have observed active exploitation of CVE-2025-24016 via DAPI request abuse. Two Mirai botnet variants, including “Resbot,” have been exploiting this vulnerability since March 2025. This marks the first known active abuse since the flaw’s disclosure in February 6.

In March 2025, attackers used a shell script to deploy the Mirai variant “morte” across IoT devices. This variant supports multiple architectures and is linked to command and control (C2) domains like nuklearcnc.duckdns[.]org and galaxias[.]cc 7.

In May 2025, a second botnet deployed the Mirai variant “resgod,” which targets Italian-speaking victims. This malware communicates via TCP port 62627 and spreads through FTP and telnet 8.

WebDAV Vulnerability Details

CVE-2025-33053 is an external file name or path control issue in WebDAV that allows unauthorized attackers to execute code remotely over a network 9.

CISA Directive and Recommendations

According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address these vulnerabilities by the specified due date to protect their networks 10.

CISA has ordered federal agencies to fix the vulnerabilities by July 1, 2025. Private organizations are also advised to review the Catalog and address these vulnerabilities in their infrastructure 11.

Conclusion

The addition of these critical vulnerabilities to CISA’s KEV catalog underscores the urgent need for organizations to review and address these flaws. Failure to do so could result in severe cybersecurity risks, including unauthorized access and data breaches. By staying informed and taking proactive measures, organizations can safeguard their networks against these emerging threats.

Additional Resources

For further insights, check:

References

  1. “CISA Adds Two Known Exploited Vulnerabilities to Catalog” (2025). “CISA Alert”. CISA. Retrieved 2025-06-12. ↩︎

  2. “CVE-2025-24016 - Wazuh Server Deserialization of Untrusted Data Vulnerability” (2025). “CVE Record”. CVE. Retrieved 2025-06-12. ↩︎

  3. “CVE-2025-33053 - WebDAV External Control of File Name or Path Vulnerability” (2025). “CVE Record”. CVE. Retrieved 2025-06-12. ↩︎

  4. “Mirai Botnets Exploit Wazuh RCE - Akamai Warned” (2025). “Security Affairs”. Security Affairs. Retrieved 2025-06-12. ↩︎

  5. “Wazuh Security Advisory” (2025). “GHSA Advisory”. GitHub. Retrieved 2025-06-12. ↩︎

  6. “Botnets Flaw: Mirai Spreads Through Wazuh Vulnerability” (2025). “Akamai Report”. Akamai. Retrieved 2025-06-12. ↩︎

  7. “Mirai Variant ‘morte’” (2025). “Akamai Report”. Akamai. Retrieved 2025-06-12. ↩︎

  8. “Mirai Variant ‘resgod’” (2025). “Akamai Report”. Akamai. Retrieved 2025-06-12. ↩︎

  9. “CVE-2025-33053 - WebDAV Vulnerability” (2025). “CVE Record”. CVE. Retrieved 2025-06-12. ↩︎

  10. “Binding Operational Directive (BOD) 22-01” (2025). “CISA Directive”. CISA. Retrieved 2025-06-12. ↩︎

  11. “CISA Orders Federal Agencies to Fix Vulnerabilities by July 1, 2025” (2025). “CISA Alert”. CISA. Retrieved 2025-06-12. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity vulnerability cisa
This post is licensed under CC BY 4.0 by the author.