UPDATE
Two separate Mirai botnet campaigns are exploiting a critical flaw in a somewhat unlikely target.
The Akamai Security Intelligence and Response Team recently observed exploitation of CVE-2025-24016, a remote code execution vulnerability in the open source Wazuh cybersecurity platform. The flaw, which was assigned a 9.9 CVSS score, stems from an unsafe deserialization issue that affects versions 4.4.0 to 4.9.1 of the platform.
CVE-2025-24016 was publicly disclosed Feb. 10, and a proof-of-concept (PoC) exploit was published on GitHub later that month. Akamai researchers observed exploitation activity starting in early March.
“This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs,” Akamai researchers Kyle Lefton and Daniel Messing wrote in a blog post on June 9.
The research team later traced the exploitation activity to two campaigns involving variants of the infamous Mirai botnet.
More Mirai Mayhem
Mirai botnets have caused havoc with high-powered distributed denial-of-service (DDoS) attacks for nearly a decade. The original Mirai malware was developed in 2016 by a group of young hackers to launch DDoS attacks against servers running the popular video game Minecraft.
However, the developers of the Internet of Things (IoT) botnet malware publicly released the source code, which allowed other threat actors and cybercriminal groups to craft their own botnets. That kicked off a series of devastating DDoS attacks against critical targets, with volumes of traffic that were unprecedented at the time.
Nearly 10 years later, IoT botnets using Mirai variants continue to pose problems across the globe. But in the latest campaigns, the botnets have new targets.
The first campaign targeting Wazuh servers involved LZRD Mirai variants, with exploitation activity beginning in early March. “Similar to the average shell scripts we often see with Mirai, it supports a variety of different architectures to target primarily Internet of Things devices,” Lefton and Messing wrote.
But unlike most Mirai botnets, which target IoT and connected consumer devices with weak security protections, this campaign also targeted a cybersecurity platform.
A second botnet campaign, which the researchers named “Resbot,” followed suit in May. Similar to the other Mirai variants, it exploits vulnerable Wazuh instances and has a payload that targets a wide range of IoT architectures.
However, Akamai researchers spotted two noticeable differences between the two campaigns. While the first wave of exploitation attempts featured code that was identical to the PoC for CVE-2025-24016, the Resbot campaign used different code that targeted the endpoint “/Wazuh” instead of the “/security/user/authenticate/run_as” endpoint.
Additionally, the researchers found clues that pointed to Italian-speaking threat actors. “One of the interesting things that we noticed about this botnet was the associated language,” they wrote. “It was using a variety of domains to spread the malware that all had Italian nomenclature. Domains such as ‘gestisciweb.com,’ for example, roughly translate to ‘manage web.'”
Akamai did not attribute either campaign to a specific threat actor or group, but the researchers believe the two campaigns are unrelated. In an email to Dark Reading, Lefton wrote that botnet operators tend to be opportunistic and that this could be a case of one campaign taking advantage of a public proof of concept and another campaign essentially copycatting the first.
“It is possible that the second botnet (Resbot) saw the exploit functionality that the first one did earlier this year,” he wrote. “The vulnerability has been public for months, though, so it would be possible for multiple botnets to adopt it without having any coordination with each other.”
Additionally, botnet operators often target a wide range of vulnerabilities, not just those in IoT products. According to Lefton, some Mirai variants in the past exploited vulnerabilities in other types of devices and software, such as the V3G4 botnet that target flaws in Atlassian Confluence and Webmin, a Web-based server control panel for Unix-like systems.
Lefton wrote that it’s possible that previous Mirai variants have targeted vulnerabilities in cybersecurity products, but he isn’t aware of any examples.
The Problem With PoCs
The Cybersecurity and Infrastructure Security Agency added CVE-2025-24016 to its Known Exploited Vulnerabilities catalog on June 9.
In a blog post Wednesday, Wazuh pushed back on Akamai’s report and denied that CVE-2025-24016 had been exploited. The company stressed that exploitation requires an valid administrative API credentials and access to the Wazuh server API. “As such, the likelihood of exploitation is low, and the overall risk is limited,” Wazuh said. “Our investigation confirmed that this vulnerability impacted none of our customers.”
While the campaigns demonstrate the continued propagation of Mirai variants, the botnets also show the risks of publicly releasing PoCs for known vulnerabilities, according to Lefton and Messing.
“Although the CVE program is overall a net benefit to the industry, it can sometimes be a double-edged sword by shining light on vulnerabilities that might have otherwise been overlooked by nefarious actors,” they wrote. “Researchers’ attempts to educate organizations on the importance of vulnerabilities by creating PoCs continue to lead to baleful results, showing just how dire it is to keep up with patches when they are released.”
Akamai urged organizations to upgrade to Wazuh version 4.9.1 or later. The researchers also warned that botnet operators keep an eye on public vulnerability disclosures and will quickly weaponize any PoC code that becomes available, so timely patching should be a priority for all organizations.
This story was updated at 4:15 pm ET on June 12 to include a blog post from Wazuh.
