Listen to this Post
Wazuh Servers Under Siege: A Growing Threat in the Cybersecurity Landscape
A newly discovered and critical vulnerability in Wazuh servers has opened the door to dangerous Mirai botnet exploitation, according to a warning issued by cybersecurity giant Akamai. Wazuh, an open-source platform used for threat detection and incident response, has been impacted by a remote code execution (RCE) flawâtracked as CVE-2025-24016âthat could allow attackers to hijack vulnerable systems remotely.
This vulnerability stems from unsafe deserialization, and was first publicly disclosed on February 10, 2025, by Wazuhâs developers. The issue affected versions 4.4.0 through 4.9.0, with a patch arriving in version 4.9.1. What makes this flaw particularly dangerous is its accessibility: anyone with API access to a compromised Wazuh dashboard, or in some misconfigured systems even a compromised agent, can trigger the vulnerability.
At the time of disclosure, a proof-of-concept (PoC) exploit was released, first allowing denial-of-service (DoS) attacks, followed shortly by one that enabled full remote code execution (RCE). This naturally caught the attention of malicious actors, and by March 2025, Akamai’s honeypots began detecting in-the-wild exploitation attempts.
Akamai reported that two Mirai botnet campaigns have since weaponized this vulnerability. The first began in early March, with the exploit pulling a shell script that downloads the Mirai malware payload. This botnet also scans and targets vulnerabilities in Hadoop YARN, TP-Link, and ZTE routersâsuggesting a widespread campaign.
The second campaign was observed in early May, showing a slight regional twist, as Akamai suggests the attackers may have been aiming at Italian-speaking users. This aligns with the typical opportunistic nature of botnet operators, who adapt quickly and reuse old malware code while simply inserting new exploits into the delivery mechanisms.
Akamai has released Indicators of Compromise (IoCs) to aid defenders in detecting and stopping these attacks. Meanwhile, Kaspersky reported a separate wave of Mirai attacks exploiting CVE-2024-3721, targeting TBK DVR devices, further demonstrating the enduring threat of the Mirai botnet across different systems and vulnerabilities.
đ What Undercode Say: Deep Dive into the Wazuh Botnet Exploitation
Exploitation Mechanics
The heart of CVE-2025-24016 lies in unsafe deserialization, a common but dangerous coding flaw where serialized user input is deserialized without proper validation. This gives attackers the chance to inject arbitrary codeâessentially hijacking the system. In Wazuhâs case, the flaw was buried in API-level access, making dashboard and agent-level breaches all the more hazardous.
Mirai botnet operators wasted no time integrating this vulnerability into their payloads. The first variant uses a simplistic yet effective delivery method: it fetches a remote shell script, which acts as a downloader for the Mirai malware. Once installed, infected Wazuh servers become nodes in a global botnet infrastructure capable of DDoS attacks and malware propagation.
Botnet Evolution
Mirai is no longer just a “script kiddie” tool; it’s a modular, rapidly evolving malware family. The campaigns targeting Wazuh mirror a broader trend of cybercriminals exploiting fresh vulnerabilities with old malware. The modularity of Miraiâs codebase makes it easy to repurpose for newly discovered CVEs. This means defenders are always playing catch-up, especially when exploit PoCs are released publiclyâoften before many organizations have patched.
The second Mirai campaignâs regional targetingâespecially toward Italian-speaking environmentsâindicates an increasing sophistication in botnet strategies. Theyâre not just throwing attacks blindly anymore; they’re tailoring payloads and phishing campaigns to specific user bases and even languages.
Broader Implications
This incident highlights a troubling pattern: open-source security tools are not immune to the threats theyâre designed to detect. It raises questions about supply chain security and patch management practices in enterprises that rely on such tools.
More broadly, the Wazuh incident adds to a wave of botnet-fueled RCE exploitsâincluding recent attacks on Samsung MagicINFO and TBK DVRsâshowing that any internet-facing device, whether itâs a router, DVR, or security dashboard, is fair game if left unpatched.
Organizations must act swiftlyânot only to apply patches but to harden configurations, limit unnecessary API access, and monitor their environments using up-to-date threat intelligence.
â Fact Checker Results:
The CVE-2025-24016 vulnerability is confirmed by Wazuh and Akamai.
Two Mirai botnet variants were documented exploiting the flaw in March and May 2025.
Kaspersky also reported Mirai attacks on unrelated systems via CVE-2024-3721.
đŽ Prediction:
Miraiâs future campaigns will likely continue to leverage newly disclosed RCE flaws in open-source and IoT platforms. Expect to see faster integration of CVEs into botnet toolkits within days of public disclosure, especially for targets with exposed APIs. Security teams should brace for a continued rise in automated, region-targeted attacks and prioritize zero-trust architectures and aggressive patch cycles to stay ahead.
References:
Reported By: www.securityweek.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
