What is the first Mirai botnet variant exploiting Wazuh?

The first botnet deploys LZRD Mirai variants upon successful exploitation. The attack involves executing a shell script that downloads the Mirai botnet payload from an external server (176.65.134.62) for different architectures. This botnet has also been observed exploiting vulnerabilities in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and ZTE ZXV10 H108L routers.

What is the second Mirai botnet variant targeting Wazuh?

The second botnet employs a similar strategy, using malicious shell scripts to deliver another Mirai botnet variant referred to as Resbot (also known as Resentual). This botnet has interesting linguistic elements with associated domains using Italian nomenclature, potentially indicating campaigns targeting devices owned by Italian-speaking users.

What other vulnerabilities does the Resbot Mirai variant exploit?

Besides spreading via FTP over port 21 and conducting telnet scanning, the Resbot botnet exploits Huawei HG532 routers (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 routers (CVE-2017-18368).

Which versions of Wazuh are affected by CVE-2025-24016?

All versions of Wazuh from 4.4.0 up to but not including 4.9.1 are affected by the critical unsafe deserialization vulnerability.

What should organizations do to protect against the Wazuh vulnerability?

Organizations should immediately upgrade to Wazuh version 4.9.1 or later versions, which contain patches for CVE-2025-24016. Additionally, they should restrict API access to only authorized users and systems to minimize the attack surface.

Attack

Critical Wazuh Server vulnerability exploited by Mirai Botnet

Q: What critical vulnerability is being exploited in Wazuh servers?

A critical vulnerability in Wazuh server tracked as CVE-2025-24016 (CVSS score 9.9) is being actively exploited by threat actors to deploy Mirai botnet variants for conducting distributed denial-of-service (DDoS) attacks. It's an unsafe deserialization flaw that allows for remote code execution on Wazuh servers.

Q: How can the Wazuh CVE-2025-24016 vulnerability be exploited?

The unsafe deserialization flaw can be triggered by anybody with API access (such as through a compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent, making it relatively easy to exploit for attackers who gain initial access.

published: June 6, 2025

Take action: If you're running Wazuh server versions 4.4.0 through 4.9.0, first make sure to estrict API access to only essential authorized users. Then plan a quick update to version 4.9.1 or later. Exposed Wazuh instances will quickly become part of a botnet.

Learn More

A critical vulneability in Wazuh server is reported to be actively exploited by threat actors to deploy Mirai botnet variants for conducting distributed denial-of-service (DDoS) attacks.

Wazuh is a widely used free and open-source security information and event management (SIEM) platform used for threat prevention, detection, and response.

The vulnerability is tracked as CVE-2025-24016 (CVSS score 9.9) - an unsafe deserialization flaw that allows for remote code execution on Wazuh servers. The flaw can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent.

Security researchers at Akamai discovered exploitation attempts in late March 2025 and in May 2025. Two different Mirai botnet variants are actively targeting this vulnerability merely weeks after its public disclosure and proof-of-concept release:

The first botnet deploys LZRD Mirai variants upon successful exploitation. The attack involves executing a shell script that downloads the Mirai botnet payload from an external server (176.65.134.62) for different architectures. The botnet has been observed exploiting various other security flaws including vulnerabilities in Hadoop YARN, TP-Link Archer AX21 (CVE-2023-1389), and a remote code execution bug in ZTE ZXV10 H108L routers.
The second botnet identified in the attacks employs a similar strategy, using malicious shell scripts to deliver another Mirai botnet variant referred to as Resbot (also known as Resentual). Researchers noted interesting linguistic elements in this botnet's infrastructure, with associated domains using Italian nomenclature, potentially indicating campaigns targeting devices owned by Italian-speaking users. Besides attempting to spread via FTP over port 21 and conducting telnet scanning, this botnet exploits Huawei HG532 routers (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 routers (CVE-2017-18368).

Affected versions of Wazuh include:

All versions from 4.4.0 up to but not including 4.9.1

Patched versions:

Wazuh version 4.9.1 and later versions

Organizations should immediately upgrade to Wazuh version 4.9.1 or later and restric API access to only authorized users and systems.

Critical Wazuh Server vulnerability exploited by Mirai Botnet

Read More
Unpatched Citrix NetScaler Systems Targeted
CISA warns of GeoServer critical flaw under active …
CISA warns of active attacks legacy PowerPoint flaw
Vulnerability in aiohttp scanned for exploit by ShadowSyndicate …
Active Exploitation reported of SolarWinds Serv-U