Critical Wazuh Flaw (CVE-2025-24016) Actively Exploited to Deploy Mirai Botnets for DDoS Attacks!
Do Son 
A critical vulnerability in the Wazuh server, patched as early as February, is now being actively exploited to deploy Mirai-based botnets aimed at conducting DDoS attacks. According to experts at Akamai, exploitation of the flaw began in March 2025—just weeks after a public exploit was released and version 4.9.1 was issued to address the issue.
The vulnerability, tracked as CVE-2025-24016 and rated 9.9 on the CVSS scale, affects all versions of Wazuh from 4.4.0 onward. It stems from insecure deserialization within the server’s API, where DistributedAPI parameters are transformed into Python objects via the as_wazuh_object function. An attacker can supply a malicious JSON payload to achieve remote code execution.
According to Akamai’s telemetry, the exploit is currently being used by at least two independent botnets, each leveraging its own variant of Mirai. The first observed campaign delivers a script that fetches the botnet payload from the external server 176.65.134[.]62, which hosts malicious Mirai builds targeting architectures such as ARM, MIPS, and others. These samples belong to the LZRD family, known since 2023. Notably, the same botnet variants were also observed in attacks against legacy GeoVision surveillance devices, although no direct links between these campaigns have been confirmed.
Further analysis of the server’s infrastructure revealed additional Mirai modifications, including variants known as neon, vision, and an advanced version labeled V3G4. Beyond Wazuh, the botnet also exploits other known vulnerabilities, including flaws in the TP-Link Archer AX21 (CVE-2023-1389), the Hadoop YARN component, and the ZTE ZXV10 H108L router.
The second wave of attacks leveraging CVE-2025-24016 is attributed to a different botnet—Resbot, also referred to as Resentual. It employs a similar deployment mechanism: executing a shell script that downloads and runs a malicious binary. Resbot’s infrastructure is marked by domains with Italian-language identifiers, leading analysts to speculate a possible focus on devices operated by Italian-speaking users.
This botnet aggressively scans ports 21 (FTP) and Telnet and exploits a range of vulnerabilities in Internet-of-Things (IoT) devices. Among them are long-standing flaws in the Huawei HG532 (CVE-2017-17215), the Realtek SDK (CVE-2014-8361), and the TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).
Security researchers emphasize that the Mirai source code remains one of the most prolifically weaponized in the botnet ecosystem. Its ease of modification ensures that each new published exploit triggers fresh infection waves. The latest incidents also exploited CVE-2024-3721, a command injection vulnerability in TBK DVR-4104 and DVR-4216 recorders. Through it, attackers initiate a script that downloads the botnet from 42.112.26[.]36, preceded by checks to evade virtual environments or QEMU-based sandboxes.
The highest infection rates have been recorded in China, India, Egypt, Turkey, Ukraine, and Brazil. More than 50,000 internet-exposed DVR devices were identified as potentially vulnerable to takeover.
The scale of the attacks is further corroborated by StormWall data: in the first quarter of 2025, botnet activity was most intense in the Asia-Pacific region—particularly in China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh. Of particular concern is the rise of novel techniques such as API flooding and carpet bombing, which are evolving faster than traditional TCP and UDP-based attacks, prompting organizations to rethink their defensive strategies.
Meanwhile, the FBI has issued an alert regarding a new iteration of the BADBOX 2.0 botnet, composed of numerous devices preloaded with malware—primarily manufactured in China. These compromised devices are repurposed as proxy nodes within criminal infrastructures. According to the bureau, infections may occur either before purchase or immediately afterward—through the installation of apps embedded with backdoors.
Donate