[[{“value”:”
Security researchers at Akamai have discovered active exploitation of a critical remote code execution vulnerability in Wazuh servers, marking the first reported in-the-wild attacks against the open-source security platform since the flaw’s disclosure earlier this year.
The vulnerability, tracked as CVE-2025-24016 with a maximum CVSS score of 9.9, affects Wazuh versions 4.4.0 through 4.9.0 and enables remote attackers with API access to execute arbitrary code through maliciously crafted JSON files.
The Akamai Security Intelligence and Response Team (SIRT) identified the exploitation attempts in their global honeypot network in late March 2025, just weeks after the vulnerability’s initial disclosure in February.
The flaw stems from unsafe deserialization in Wazuh’s manager package, specifically in the DistributedAPI, where parameters are serialized as JSON and then deserialized using the as_Wazuh_object function. Attackers exploit this by injecting unsanitized dictionaries into DAPI requests, leading to the evaluation of arbitrary Python code.
The attacks closely mirror a proof-of-concept exploit published in late February 2025, targeting the /security/user/authenticate/run_as endpoint with malicious payloads containing the __unhandled_exc__ exception. However, researchers also observed attempts against a different endpoint, /Wazuh suggesting attackers are adapting their techniques.
Two Distinct Botnet Campaigns
Akamai identified two separate botnets leveraging this vulnerability to distribute Mirai malware variants. The first campaign, active since early March, deploys “LZRD Mirai variants” called “morte” that target multiple device architectures primarily used in Internet of Things (IoT) devices. These samples can be identified by their hard-coded console string “lzrd here”.
The second botnet, discovered in early May 2025, distributes malware called “resgod” associated with the “Resbot/Resentual” operation. This campaign is particularly notable for its use of Italian nomenclature in domain names such as “gestisciweb[.]com,” which translates to “manage web,” potentially indicating targeting of Italian-speaking users or infrastructure.
Both botnets demonstrate sophisticated operations beyond the Wazuh vulnerability. The first campaign connects to command-and-control domains, including nuklearcnc.duckdns.org and cbot.galaxias.cc, with associated malware samples containing various Mirai variants, including modified V3G4 versions.
The attackers are not limiting themselves to the Wazuh vulnerability alone. Researchers observed exploitation attempts against multiple known vulnerabilities, including CVE-2023-1389 affecting TP-Link Archer AX21 routers, CVE-2017-17215 targeting Huawei HG532 devices, and CVE-2017-18368 affecting ZyXEL routers.
Despite being public for months, CVE-2025-24016 has not yet been added to CISA’s Known Exploited Vulnerability catalog, making Akamai’s findings the first confirmed report of active exploitation.
The rapid weaponization demonstrates the continuing trend of shortened time-to-exploit timelines that botnet operators maintain for newly disclosed vulnerabilities.
Unlike many IoT-focused vulnerabilities that typically affect end-of-life devices, this flaw impacts active Wazuh servers running outdated versions, making it particularly concerning for enterprise environments.
Organizations using Wazuh are strongly advised to immediately upgrade to version 4.9.1 or later, which contains the necessary security fixes.
The discovery underscores the ongoing evolution of Mirai-based botnets and their operators’ ability to rapidly incorporate new exploits into their attack infrastructure, emphasizing the critical importance of timely security patching in enterprise environments.
Looking for AI-Powered Nex-Gen malware protection? – Download Malware Protection Plus for Free
The post Critical Wazuh Server RCE Vulnerability Exploited to Deploy Mirai Variants appeared first on Cyber Security News.
“}]]
Read More Cyber Security News