Wazuh Server Security Flaw Exploited by Threat Actors
Overview of the Vulnerability
A critical security vulnerability affecting Wazuh Server, labeled CVE-2025-24016, has been leveraged by cybercriminals to deploy two variants of the Mirai botnet. This flaw, which allows for remote code execution, has a CVSS score of 9.9, indicating its severity. The exploitation of this vulnerability was first highlighted by Akamai in late March 2025, shortly after the flaw was publicly disclosed.
Technical Breakdown of the Exploit
The vulnerability arises from unsafe deserialization in the Wazuh API, particularly in the DistributedAPI component. JSON parameters are serialized and deserialized in the common.py file. By sending malicious JSON payloads, attackers can execute arbitrary Python code on compromised Wazuh servers. This issue affects all server software versions 4.4.0 and later and was addressed with a patch in February 2025, when version 4.9.1 was released. Unfortunately, the window of vulnerability was short, with successful exploits recorded soon after the flaw’s disclosure.
Rapid Exploitation by Botnets
Akamai noted that within weeks of the patch release and proof-of-concept exploit becoming available, two distinct botnets attempted to exploit CVE-2025-24016. These attacks were registered in early March and May 2025, demonstrating a concerning trend of quick exploitation following the announcement of new vulnerabilities.
Kyle Lefton and Daniel Messing, security researchers, emphasized the rapid response of botnet operators, stating, "This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs."
The Mirai Botnet Variants
The first botnet successfully exploits the vulnerability and executes a shell script to download the Mirai botnet payload from an external server ("176.65.134[.]62"). Initial assessments suggest that this payload contains variants of the LZRD Mirai, which have been active since 2023. LZRD Mirai has been associated with attacks targeting outdated Internet of Things (IoT) devices, although Akamai did not establish a connection between this and other recent activities.
Investigations of the server address "176.65.134[.]62" revealed additional Mirai variants, including “neon” and “vision,” as well as an updated version called V3G4. The malicious botnet also exploits other vulnerabilities, such as those affecting Hadoop YARN and TP-Link routers.
Additional Threats: The Resbot Variant
A second botnet is using similar tactics, employing a shell script to deliver another Mirai variant named Resbot (also known as Resentual). Notably, this botnet employs terminology suggesting it targets devices operated by Italian speakers, as the domains used in the campaign carry Italian nomenclature.
This botnet spreads itself through FTP over port 21 and conducts telnet scanning. It also exploits vulnerabilities in various routers, including the Huawei HG532 and TrueOnline ZyXEL P660HN-T, among others.
Continuing Trends in Botnet Activity
Researchers have noted that the Mirai botnet remains highly adaptable, utilizing older source code to construct or reconfigure botnets effortlessly. This ease of reuse allows botnet operators to capitalize on newly disclosed exploits frequently.
CVE-2025-24016 is not the only vulnerability exploited by Mirai variants; recent incidents have also seen threats utilizing vulnerabilities such as CVE-2024-3721, a command injection issue affecting TBK DVR devices. This particular vulnerability allows malware to execute a shell script that downloads the Mirai botnet.
Geographic Focus of Cyber Attacks
Cybersecurity analyses from Kaspersky reveal that infections are particularly concentrated in regions like China, India, and Brazil, with over 50,000 DVR devices identified as being exposed online. The rise in cyber incidents is attributed to the increasing availability of unpatched IoT devices and Linux-based systems.
Call for Enhanced Security Measures
With the landscape of cyber threats continually evolving, cybersecurity experts underscore the necessity of adopting more sophisticated and flexible defenses against these rapidly emerging threats. As API floods and sophisticated DDoS tactics become more prevalent, organizations must proactively strengthen their defenses.
The advent of the BADBOX 2.0 botnet, which has reportedly infected millions of devices, shows the underlying risks posed by compromised IoT devices. These incidents stress the importance of maintaining vigilance against unauthorized access to networks and securing home devices against malware installation.
Stay informed about ongoing cybersecurity threats to protect your digital assets effectively.
