A critical remote code execution vulnerability affecting Wazuh servers has been exploited by Mirai botnets, Akamai warned on Monday.
Wazuh is a free and open source security platform designed for threat detection and response. Its developers announced on February 10 that they had patched CVE-2025-24016, an unsafe deserialization issue affecting servers running version 4.4.0 and newer, prior to 4.9.1, which includes a patch.
“An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers,” the developers explained. “The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent.”
A proof-of-concept (PoC) exploit enabling DoS attacks was made public at the time of disclosure, and a PoC designed for arbitrary code execution was released a few days later.
According to data from Akamai’s honeypots, in-the-wild exploitation attempts started in March. The cybersecurity firm has seen two Mirai campaigns exploiting CVE-2025-24016 to hack Wazuh servers.
One Mirai botnet variant has targeted the flaw since early March, with the exploit designed to fetch and execute a malicious shell script that serves as a downloader for the Mirai malware payload. The same botnet also targeted vulnerabilities in Hadoop YARN, and TP-Link and ZTE routers.
The second Mirai variant targeting CVE-2025-24016 was observed in early May, and some evidence suggests that the campaign may have been aimed at the devices of Italian-speaking users.
“The propagation of Mirai continues relatively unabated, as it remains rather straightforward to repurpose and reuse old source code to set up or create new botnets. And botnet operators can often find success with simply leveraging newly published exploits,” Akamai warned.
Akamai has made available indicators of compromise (IoC) to help defenders detect and block these attacks.
More Mirai-related news comes from Kaspersky, which warned late last week that it had spotted a Mirai attack wave exploiting a remote command execution vulnerability tracked as CVE-2024-3721 to ensnare TBK DVR devices.
Kaspersky too has made available IoCs associated with the Mirai attacks it has observed.
UPDATE 06.12.2025: Wazuh has published a blog post to address CVE-2025-24016 and the recent attacks, saying that it believes none of its (paying) customers were impacted. The company has shared information on the conditions needed for exploitation, as well as mitigations.
Related: DanaBot Botnet Disrupted, 16 Suspects Charged
Related: US Announces Botnet Takedown, Charges Against Russian Administrators
Related: Improperly Patched Samsung MagicINFO Vulnerability Exploited by Botnet
