Akamai has issued a warning that several Mirai botnets are exploiting a critical remote code
execution vulnerability, identified as CVE-2025-24016, in Wazuh servers. This flaw, with a severity score of 9.9, allows attackers to remotely execute code and take control of affected systems.
Wazuh is an open-source security platform used for intrusion detection, threat monitoring, log analysis, and compliance management. It is widely used to keep watch over endpoints and infrastructure for suspicious activity.
The vulnerability affects versions of Wazuh starting from 4.4.0 up to, but not including, 4.9.1. It involves unsafe deserialization in the DistributedAPI parameters, which are handled through a JSON-based function called as_wazuh_object. If an attacker submits a specially crafted, unsanitized dictionary, they can trigger an unhandled exception and execute arbitrary Python code. This can be done by anyone with API access, including compromised dashboards or servers, and in some cases, even by a compromised agent. The issue has been fixed in version 4.9.1.
A proof-of-concept for exploiting the vulnerability is already available, and Akamai’s Security Intelligence Response Team (SIRT) has observed active exploitation. Two Mirai botnet variants, including one named “Resbot” with domains featuring Italian names, have been using this flaw since March 2025. This marks the first recorded active exploitation since the vulnerability was disclosed in February 2025.
According to Akamai’s report, one campaign in March deployed Mirai variants using a shell script to infect IoT devices. This campaign used samples such as “morte,” which support multiple hardware architectures and connect to command-and-control servers like nuklearcnc.duckdns[.]org and galaxias[.]cc. Other malware variants like “neon” and “k03ldc” showed similarities to the LZRD and V3G4 versions, each with distinct characteristics and exploits, including vulnerabilities in Hadoop YARN, TP-Link AX21, and ZTE routers.
In May, a second campaign launched a new variant called “resgod,” featuring the message “Resentual got you!” It also targets various IoT devices and communicates through domains with Italian-sounding names, such as gestisciweb.com. This version connects to the IP address 104.168.101[.]27 on TCP port 62627 and spreads through FTP and telnet. It uses unencrypted strings and scans broadly to infect more systems, exploiting RCE flaws in Huawei, Realtek, and ZyXEL devices.
Akamai has published indicators of compromise (IoCs) to help identify infections by these Mirai variants.
The report emphasizes how the Mirai botnet remains persistent due to its accessible source code and the continuous stream of newly disclosed vulnerabilities that attackers can quickly exploit.
Separately, Kaspersky researchers recently identified a new Mirai variant that targets TBK DVR-4104 and DVR-4216 devices by exploiting a command injection flaw (CVE-2024-3721), showing that the botnet continues to evolve and pose significant threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
