Vulnerable Wazuh servers targeted by two Mirai botnets

Vulnerable Wazuh servers targeted by two Mirai botnets

Two distinct Mirai botnets have been observed targeting a critical vulnerability in Wazuh servers, Akamai researchers have warned.

The flaw in question is CVE-2025-24016, an unsafe deserialization issue in the manager package of the open source XDR and SIEM solution Wazuh. It impacts Wazuh versions 4.4.0 through 4.9.0, with a fix released in version 4.9.1. The vulnerability allows a remote attacker with API access to execute arbitrary code on the target server with a malicious JSON file. Following the public disclosure, the a proof of concept (PoC) was released, detailing how to achieve remote code execution using this vulnerability.

According to Akamai, first exploitation attempts were observed just a few weeks following the initial disclosure. The activity was connected to two separate Mirai botnets. The first botnet exploited the flaw to fetch and execute a malicious shell script that serves as a downloader for the main Mirai malware payload.

“Similar to the average shell scripts we often see with Mirai, it supports a variety of different architectures to target primarily Internet of Things (IoT) devices. These Mirai malware samples, named “morte,” appear to be LZRD Mirai variants, which have been around for some time. They can be easily distinguished by the hard-coded unique string they print on a target machine’s console upon execution: “lzrd here,”” the report explains.

Further investigation into IP addresses linked to the activity revealed several malware payloads, including a Windows-based RAT that disguises itself as the Windows svchost process, and three Mirai malware samples.

Aside from the Wazuh flow, the first botnet appears to target other vulnerabilities, including CVE-2023-1389 (TP-Link Archer), CVE-2017-17215 (Huawei HG532 routers), and CVE-2017-18368 (Zyxel P660HN-T1A).

The second botnet was first spotted in early May 2025. Similar to the first botnet, it fetches and executes a malicious shell script to serve as a Mirai downloader. The malware, named “resgod,” is identified through its hard-coded console string “Resentual got you!” Like the first botnet, the payload also targets a wide variety of architectures targeting IoT devices.

The researchers note that CVE-2025-24016 impacts active Wazuh servers running outdated versions. Users are strongly advised to apply the Wazuh version 4.9.1 or later to mitigate the risk of exploitation.

Back to the list

Latest Posts

Cyber Security Week in Review: June 20, 2025

Cyber Security Week in Review: June 20, 2025

In brief: the Langflow, TP-Link and Zyxel flaws exploited in the wild, Russian hackers use ASPs to infiltrate victims’ email accounts, and more
20 June 2025
Russian-linked hackers exploit Google App passwords in email espionage campaign

Russian-linked hackers exploit Google App passwords in email espionage campaign

Victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
19 June 2025
FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

Using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma, the hackers encrypted data on corporate networks.
18 June 2025
Popular Posts
Featured vulnerabilities
Denial of service in pure-ftpd
Medium Patched | 21 Jun, 2025
Information disclosure in Python Requests library
Medium Patched | 21 Jun, 2025
Multiple vulnerabilities in sslh
Medium Patched | 21 Jun, 2025
Dell Container Storage Modules update for ingress-nginx
Сritical Patched | 20 Jun, 2025
Cross-site request forgery in 4stats plugin for WordPress
Low Patched | 20 Jun, 2025