09.06.2025
2 min
608
Akamai researchers have discovered active Mirai botnet campaigns that exploit a critical vulnerability in Wazuh, a popular threat detection platform. The vulnerability allows arbitrary code to be executed via the API, exposing unprotected servers to complete control by attackers.
The vulnerability, CVE-2025-24016, exploited by Mirai variants, allows an attacker with API access to execute malicious Python code. The issue occurs due to improper filtering of dictionaries in DistributedAPI, which are deserialized in framework/wazuh/core/cluster/common.py. Akamai SIRT researchers have identified two active campaigns targeting servers running Wazuh versions 4.4.0 through 4.9.0. Although the vulnerability has been known since February, it has not yet been added to the CISA KEV list, and the first attacks were recorded in March.
Mirai is a botnet known since 2016 that infects Internet of Things (IoT) devices, turning them into an army for DDoS attacks. In new campaigns, Mirai targets not only routers or cameras, but also the defense systems of companies themselves. Wazuh, as an open source platform for threat detection and incident response, has become a convenient target due to its active use in corporations and insufficient control of updates.
Wazuh users should immediately update to version 4.9.1 or later, as active exploitation of the critical vulnerability is already underway. Refusal to update could lead to the complete capture of the infrastructure by attackers. The event once again emphasizes how important regular security checks are, even for tools that are supposed to protect systems themselves.
