A vital distant code execution vulnerability affecting Wazuh servers has been exploited by Mirai botnets, Akamai warned on Monday.
Wazuh is a free and open supply safety platform designed for risk detection and response. Its builders introduced on February 10 that they’d patched CVE-2025-24016, an unsafe deserialization subject affecting servers working model 4.4.0 and newer, previous to 4.9.1, which features a patch.
“An unsafe deserialization vulnerability permits for distant code execution on Wazuh servers,” the builders defined. “The vulnerability will be triggered by anyone with API entry (compromised dashboard or Wazuh servers within the cluster) or, in sure configurations, even by a compromised agent.”
A proof-of-concept (PoC) exploit enabling DoS assaults was made public on the time of disclosure, and a PoC designed for arbitrary code execution was launched a number of days later.
In accordance with knowledge from Akamai’s honeypots, in-the-wild exploitation makes an attempt began in March. The cybersecurity agency has seen two Mirai campaigns exploiting CVE-2025-24016 to hack Wazuh servers.
One Mirai botnet variant has focused the flaw since early March, with the exploit designed to fetch and execute a malicious shell script that serves as a downloader for the Mirai malware payload. The identical botnet additionally focused vulnerabilities in Hadoop YARN, and TP-Hyperlink and ZTE routers.
The second Mirai variant focusing on CVE-2025-24016 was noticed in early Could, and a few proof means that the marketing campaign could have been aimed on the gadgets of Italian-speaking customers.
“The propagation of Mirai continues comparatively unabated, because it stays relatively easy to repurpose and reuse previous supply code to arrange or create new botnets. And botnet operators can typically discover success with merely leveraging newly revealed exploits,” Akamai warned.Commercial. Scroll to proceed studying.
Akamai has made obtainable indicators of compromise (IoC) to assist defenders detect and block these assaults.
Extra Mirai-related information comes from Kaspersky, which warned late final week that it had noticed a Mirai assault wave exploiting a distant command execution vulnerability tracked as CVE-2024-3721 to ensnare TBK DVR gadgets.
Kaspersky too has made obtainable IoCs related to the Mirai assaults it has noticed.
Associated: DanaBot Botnet Disrupted, 16 Suspects Charged
Associated: US Broadcasts Botnet Takedown, Prices In opposition to Russian Directors
Associated: Improperly Patched Samsung MagicINFO Vulnerability Exploited by Botnet
