Cybercriminals are trying to spread multiple Mirai variants by exploiting a critical Wazuh vulnerability, researchers say – the first reported active attacks since the code execution bug was disclosed.
The vulnerability in question, tracked as CVE-2025-24016 (9.9), is a remote code execution (RCE) issue affecting open source XDR and SIEM solution Wazuh, which is used by more than 100,000 enterprises worldwide, including multiple Fortune 100 companies.
Disclosed in February, the recent botnet attacks are the first reported cases of active exploitation of the vulnerability, which currently does not appear in CISA’s KEV catalog.
Researchers at Akamai detected the earliest attempts to pop servers using CVE-2025-24016 in early March, which it says is indicative of the increasingly tight time-to-attack times the industry is seeing, especially when it comes to botnets.
In typical Mirai fashion, the shell scripts on display in these early attacks primarily target a range of IoT devices, with the attackers behind them using multiple longstanding variants such as LZRD and V3G4.
The variants also attempt to exploit additional vulnerabilities, including an older command injection bug affecting TP-Link Archer AX21 routers, a 12-year-old ZTE ZXV10 H108L router RCE exploit, and a Hadoop YARN vulnerability.
The second botnet targeting the same Wazuh vulnerability was doing so as recently as early May. The botnet known as Resbot was seen running scripts to download Mirai, while also targeting other IoT devices.
“One of the interesting things that we noticed about this botnet was the associated language,” said Akamai researchers Kyle Lefton and Daniel Messing. “It was using a variety of domains to spread the malware that all had Italian nomenclature. Domains such as ‘gestisciweb.com,’ for example, roughly translate to ‘manage web.’
“They look similar to malicious domain names that are often used for phishing attacks because they look much more legitimate than their C2 ‘resbot.online,’ which is more clearly a malicious domain. The linguistic naming conventions could indicate a campaign to target devices owned and run by Italian-speaking users in particular.”
Like the first, distinct Mirai botnet, Resbot was also seen trying its luck against various other older vulnerabilities, including Zyxel and Huawei router CVEs from 2017, and a critical flaw in Realtek’s SDK from 2014.
The attacks are targeting active Wazuh servers that are running outdated versions, but the team behind the open-source security platform released a patch for CVE-2025-24016 in October 2024 (version 4.9.1). Upgrading to that version, or any newer available levels, will scupper these botnet attacks.
Attacks using the vulnerability would doubtless have been helped by a full proof of concept (PoC) exploit being shared by an independent researcher within two weeks of the bug’s disclosure.
Whenever exploit code is released to the public, it typically becomes a matter of time before successful attacks using those details begin to emerge.
Akamai’s researchers said the Mirai botnet used the exact same PoC as the one shared publicly, while Resbot used an altered version.
“Researchers’ attempts to educate organizations on the importance of vulnerabilities by creating PoCs continue to lead to baleful results, showing just how dire it is to keep up with patches when they are released,” Lefton and Messing blogged.
“Botnet operators keep tabs on some of these vulnerability disclosures — and, especially in cases where PoCs are made available, they will quickly adapt the PoC code to proliferate their botnet.”
Kaspersky also reported a separate wave of Mirai expansion efforts targeting vulnerabilities in digital video recorders, although the campaigns aren’t thought to be orchestrated by the same operators. ®