Mirai Botnets Exploit Critical Wazuh RCE Vulnerability, Akamai Warns
Akamai has issued an alert about active exploitation of a critical remote code execution (RCE) vulnerability in Wazuh servers by Mirai botnets.
Wazuh, an open source security platform for threat detection and response, patched the flaw tracked as CVE-2025-24016 on February 10. The vulnerability, found in versions 4.4.0 through 4.9.0, stems from unsafe deserialization and allows remote attackers with API access, or in some cases compromised agents, to execute arbitrary code.
Public proof-of-concept (PoC) exploits for both denial-of-service and full code execution appeared shortly after the disclosure.
Akamai’s honeypots began detecting exploitation attempts as early as March. Two Mirai botnet variants have been observed targeting Wazuh:
- The first variant began attacks in early March, using an exploit to download and execute a shell script that installs the Mirai malware. This botnet also targets other known vulnerabilities in Hadoop YARN, TP-Link, and ZTE routers.
- A second variant emerged in early May, possibly targeting devices used by Italian-speaking users.
Akamai warns that Mirai’s continued propagation is fueled by how easily attackers can adapt its source code and exploit newly disclosed vulnerabilities. The company has released indicators of compromise (IoCs) to help defenders detect and mitigate these threats.
Meanwhile, Kaspersky also reported a Mirai campaign exploiting CVE-2024-3721 to infect TBK DVR devices, adding to the growing wave of attacks involving the botnet.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
