Two robot icons with red eyes stand on either side of a central server labeled WAZUH, connected by dashed red arrows pointing through a central red bug symbol, all set against a dark blue background.

A recently patched critical security vulnerability in the Wazuh Server is being exploited by threat actors to deploy two different variants of the Mirai botnet, which are then used to carry out distributed denial-of-service (DDoS) attacks.

Akamai, which first identified these exploitation efforts in late March 2025, reported that the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that enables remote code execution on Wazuh servers.

This security flaw affects all versions of the server software from 4.4.0 and above and was addressed in February 2025 with the release of version 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed around the same time the patches were made available.

The issue originates from the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using "as_wazuh_object" in the framework/wazuh/core/cluster/common.py file. Threat actors can exploit this vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely.

Akamai discovered attempts by two distinct botnets to exploit CVE-2025-24016 just weeks after the public disclosure of the flaw and the release of the PoC. The attacks were recorded in early March and May 2025.

"This exemplifies the increasingly rapid timelines that botnet operators are adopting for newly published CVEs," security researchers Kyle Lefton and Daniel Messing stated in a report shared with The Hacker News.

In the first case, a successful exploit allows for the execution of a shell script that downloads the Mirai botnet payload from an external server ("176.65.134[.]62") for various architectures. The malware samples are believed to be variants of LZRD Mirai, which has been active since 2023.

Notably, LZRD was also recently used in attacks targeting end-of-life (EoL) Internet of Things (IoT) devices from GeoVision. However, Akamai informed The Hacker News that there is no evidence linking these two activity clusters to the same threat actor, as LZRD is utilized by multiple botnet operators.

Further analysis of the infrastructure associated with "176.65.134[.]62" revealed other Mirai botnet variants, including LZRD variants named "neon" and "vision," as well as an updated version of V3G4.

Other security vulnerabilities exploited by the botnet include flaws in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and a remote code execution bug in ZTE ZXV10 H108L routers.

The second botnet exploiting CVE-2025-24016 employs a similar tactic, using a malicious shell script to deliver another Mirai variant known as Resbot (also referred to as Resentual).

"One interesting observation about this botnet is its associated language. It utilized various domains to spread the malware, all featuring Italian nomenclature," the researchers noted. "This linguistic naming convention may suggest a campaign targeting devices owned and operated by Italian-speaking users."

In addition to attempting to spread via FTP over port 21 and conducting telnet scanning, this botnet has been found to exploit a wide range of vulnerabilities targeting the Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and the TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).

"The propagation of Mirai continues largely unchecked, as it remains relatively easy to repurpose and reuse old source code to establish or create new botnets," the researchers stated. "Botnet operators often find success simply by leveraging newly published exploits."

CVE-2025-24016 is not the only vulnerability being exploited by Mirai botnet variants. Recent attacks have also targeted CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to incorporate them into the botnet.

This vulnerability is exploited to trigger the execution of a shell script responsible for downloading the Mirai botnet from a remote server ("42.112.26[.]36") and executing it, after verifying that it is not running inside a virtual machine or QEMU.

Russian cybersecurity firm Kaspersky reported that infections are concentrated in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, noting that it has identified over 50,000 exposed DVR devices online.

"Exploiting known security flaws in unpatched IoT devices and servers, along with the widespread use of malware targeting Linux-based systems, results in a significant number of bots continuously searching the internet for devices to infect," security researcher Anderson Leite explained.

This disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as the most targeted countries in the APAC region during the first quarter of 2025, according to statistics shared by StormWall.

"API floods and carpet bombing are growing faster than traditional volumetric TCP/UDP attacks, prompting companies to adopt smarter, more flexible defenses," the company stated. "Simultaneously, rising geopolitical tensions are driving an increase in attacks on government systems and Taiwan, highlighting heightened activity from hacktivists and state-sponsored threat actors."

This follows an advisory from the U.S. Federal Bureau of Investigation (FBI) indicating that the BADBOX 2.0 botnet has infected millions of internet-connected devices, most of which are manufactured in China, to turn them into residential proxies for criminal activities.

"Cybercriminals gain unauthorized access to home networks by either pre-configuring the product with malicious software before the user's purchase or infecting the device during the download of required applications that contain backdoors, typically during the setup process," the FBI stated.

"The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cybercriminals exploit by either selling or providing free access to compromised home networks for various criminal activities."