Hackers are actively exploiting a major vulnerability in the Wazuh Server to deploy two different Mirai-based botnets, leading to large-scale distributed denial-of-service (DDoS) attacks. This critical flaw, tracked as CVE-2025-24016, allows remote code execution and puts thousands of internet-connected systems at risk.
Wazuh Server Vulnerability
CVE-2025-24016 is a high-severity security vulnerability (CVSS score: 9.9) found in the Wazuh Server, a popular open-source security monitoring platform. The flaw exists in the Wazuh API, where unsafe deserialization of JSON data through the as_wazuh_object function can be exploited. Attackers can send specially crafted JSON payloads, allowing them to run malicious Python code remotely.
All Wazuh server versions 4.4.0 and above are affected. The issue was fixed in version 4.9.1, released in February 2025. Unfortunately, a proof-of-concept (PoC) exploit for this flaw was published online at the same time as the patch, giving attackers a clear method to exploit unpatched systems.
Researchers at Akamai observed the first real-world attacks just weeks after the PoC was released, demonstrating how quickly threat actors move to weaponize newly disclosed vulnerabilities.
By early March 2025, two different botnets began targeting this flaw:
Botnet 1: LZRD-Based Mirai Variant
The first botnet uses a shell script to download a Mirai payload from an external server (176.65.134[.]62). This variant appears to be related to LZRD, a modified version of the infamous Mirai malware. LZRD has been used in various attacks since 2023, including recent exploits of end-of-life (EoL) GeoVision IoT devices.
According to Akamai, there’s no solid evidence linking this LZRD campaign to previous ones, as many botnet operators reuse this malware family. Further investigation of the command-and-control (C2) server revealed other LZRD variants, including ones named “neon,” “vision,” and a newer V3G4 version.
This botnet also exploits other known vulnerabilities, including:
Hadoop YARN
TP-Link Archer AX21 (CVE-2023-1389)
ZTE ZXV10 H108L routers (Remote Code Execution flaw)
Botnet 2: Resbot (Resentual)
The second botnet, called Resbot (also known as Resentual), uses a similar method. It delivers its malware using a malicious shell script and then spreads further using FTP (port 21) and Telnet scanning.
Interestingly, this campaign uses domain names with Italian words, suggesting it might be targeting Italian-speaking users or devices commonly used in Italy.
Resbot also leverages older exploits for:
Huawei HG532 routers (CVE-2017-17215)
Realtek SDK (CVE-2014-8361)
TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368)
Mirai Botnet’s Continued Rise
The Mirai botnet and its many variants continue to thrive, primarily due to their ease of reuse and repurposing. Since the Mirai source code was leaked in 2016, cybercriminals have modified and adapted it to target newer devices and vulnerabilities.
Akamai researchers noted that botnet operators often succeed by simply combining existing malware with newly discovered vulnerabilities, such as CVE-2025-24016.
Another recent case involves CVE-2024-3721, a command injection flaw affecting TBK DVR-4104 and DVR-4216 digital video recorders. Attackers used it to download Mirai from another server (42.112.26[.]36). Before launching the malware, it checks if the device is running in a virtual machine—a technique to evade detection during testing.
Global Infection Trends
According to Kaspersky, Mirai infections are widespread, especially in:
China
India
Egypt
Ukraine
Russia
Turkey
Brazil
They identified over 50,000 exposed DVR devices on the internet, highlighting the sheer scale of vulnerable IoT infrastructure.
Cyberattacks are rising rapidly across Asia-Pacific, with China, India, Taiwan, Singapore, Japan, Malaysia, Indonesia, South Korea, and Bangladesh facing increased threats. Cybersecurity firm StormWall noted that API floods and carpet bombing attacks are replacing traditional DDoS tactics, making them harder to detect and mitigate.
At the same time, geopolitical tensions are fueling state-sponsored attacks, particularly targeting government agencies and critical infrastructure in Taiwan.
The U.S. Federal Bureau of Investigation (FBI) recently issued a warning about the BADBOX 2.0 botnet, which has compromised millions of internet-connected devices, especially those manufactured in China.
According to the FBI, cybercriminals:
Install malware before devices are sold to customers.
Or infect devices during initial software downloads by inserting hidden backdoors.
These compromised devices are then used as residential proxies, enabling criminal operations that are harder to trace.
The exploitation of Wazuh’s vulnerability by two separate Mirai-based botnets is a strong reminder of the importance of prompt patching. As soon as a critical vulnerability becomes public—and especially when a PoC is released—the countdown begins for attackers to exploit it.
Patch Wazuh servers to version 4.9.1 or higher immediately.
Monitor IoT devices and routers for signs of compromise.
Use network monitoring tools to detect unusual outbound traffic or scanning activity.
Stay informed about emerging CVEs and apply security updates as soon as they’re available.
Interesting Article : Android Smart Devices Infected By BADBOX 2.0 Malware
Pingback: Serious Google Security Flaw Could Reveal Your Phone Number To Hackers