A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks.
Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers.
The security defect, which affects all versions of the server software including and above 4.4.0, was addressed in February 2025 with the release of 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed around the same time the patches were released.
The problem is rooted in the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. A threat actor could weaponize the vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely.
The web infrastructure company said it discovered attempts by two different botnets to exploit CVE-2025-24016 merely weeks after public disclosure of the flaw and the release of the PoC. The attacks were registered in early March and May 2025.
“This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs,” security researchers Kyle Lefton and Daniel Messing said in a report shared with The Hacker News.
In the first instance, a successful exploit paves the way for the execution of a shell script that serves as a downloader for the Mirai botnet payload from an external server (“176.65.134[.]62”) for different architectures. It’s assessed that the malware samples are variants of LZRD Mirai, which has been around since 2023.
It’s worth noting that LZRD was also deployed recently in attacks exploiting GeoVision end-of-life (EoL) Internet of Things (IoT) devices. However, Akamai told The Hacker News that there is no evidence that these two activity clusters are the work of the same threat actor given that LZRD is used by myriad botnet operators.
Further infrastructure analysis of “176.65.134[.]62” and its associated domains have led to the discovery of other Mirai botnet versions, including LZRD variants named “neon” and “vision,” and an updated version of V3G4.
Some of the other security flaws exploited by the botnet include flaws in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and a remote code execution bug in ZTE ZXV10 H108L routers.
The second botnet to abuse CVE-2025-24016 employs a similar strategy of using a malicious shell script to deliver another Mirai botnet variant referred to as Resbot (aka Resentual).
“One of the interesting things that we noticed about this botnet was the associated language. It was using a variety of domains to spread the malware that all had Italian nomenclature,” the researchers said. “The linguistic naming conventions could indicate a campaign to target devices owned and run by Italian-speaking users in particular.”
Besides attempting to spread via FTP over port 21 and conducting telnet scanning, the botnet has been found to leverage a wide range of exploits targeting Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368).
“The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets,” the researchers said. “And botnet operators can often find success with simply leveraging newly published exploits.”
CVE-2025-24016 is far from the only vulnerability to be abused by Mirai botnet variants. In recent attacks, threat actors have also taken advantage of CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to enlist them into the botnet.
The vulnerability is used to trigger the execution of a shell script that’s responsible for downloading the Mirai botnet from a remote server (“42.112.26[.]36”) and executing it, but not before checking if it’s currently running inside a virtual machine or QEMU.
Russian cybersecurity company Kaspersky said the infections are concentrated around China, India, Egypt, Ukraine, Russia, Turkey, and Brazil, adding it identified over 50,000 exposed DVR devices online.
“Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect,” security researcher Anderson Leite said.
The disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as the most targeted countries in the APAC region in the first quarter of 2025, according to statistics shared by StormWall.
“API floods and carpet bombing are growing faster than traditional volumetric TCP/UDP attacks, pushing companies to adopt smarter, more flexible defenses,” the company said. “At the same time, rising geopolitical tensions are driving a surge in attacks on government systems and Taiwan – highlighting increased activity from hacktivists and state-sponsored threat actors.”
It also follows an advisory from the U.S. Federal Bureau of Investigation (FBI) that the BADBOX 2.0 botnet has infected millions of internet-connected devices, most of which are manufactured in China, in order to turn them into residential proxies to facilitate criminal activity.
“Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the user’s purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process,” the FBI said.
“The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity.”
