Analysis Summary

A critical remote code execution (RCE) vulnerability in Wazuh servers, tracked as CVE-2025-24016, has been actively exploited by Mirai botnets, according to a warning issued by Security Researchers. Wazuh is a widely used open source platform for threat detection and response. The vulnerability, which stems from unsafe deserialization, affects versions 4.4.0 through 4.9.0 and was patched by developers on February 10, 2025.

This flaw allows remote attackers to execute arbitrary code on vulnerable Wazuh servers. Attackers can trigger the vulnerability via API access—either through a compromised Wazuh dashboard, a vulnerable cluster server, or in certain configurations, even through a compromised agent. At the time of disclosure, a proof-of-concept (PoC) for denial-of-service attacks was released, followed shortly by a PoC for remote code execution.

Researchers reported that exploitation in the wild began in March 2025. Their honeypots detected two separate Mirai botnet campaigns leveraging CVE-2025-24016. The first campaign, active since early March, involved an exploit that fetched and ran a malicious shell script acting as a downloader for the Mirai malware. This same botnet also targeted other systems with known vulnerabilities, such as Hadoop YARN and routers from TP-Link and ZTE.

A second campaign began in early May, with some indications it may have targeted Italian-speaking users specifically. Researchers emphasized that Mirai propagation continues largely unchecked, as its open-source nature makes it easy for attackers to adapt the code to exploit newly disclosed vulnerabilities.

To support defenders, researchers has released indicators of compromise (IoCs) related to these attacks, helping organizations detect and mitigate the threat posed by these Mirai-driven campaigns.

Impact

• Denial of Service
• Remote Code Execution

Indicators of Compromise

SHA1

• 1a1cb8cf33616245da83fe1e5f4e3dd1918b076c
• d6a5231050931d452e572bcf12662482e776ab7e
• c80dcef582154d97d865c763707e8b5d1d95bba7
• 8474a1c1914551c45a8af3f6383d328a7884f175
• 0f9111ef955a4165086e85794209d6afa15c6d04
• 8b2c045d5ea55917ee18f1787f1fabce9e31d13d
• 8d40ec708d0828308f6a16926958a0f26a06d24b
• ced36bf32cc94b87353029113715af5d1dfc6581
• 5079f2b2cc9848ae27d59010f5d53573420703cf
• 99616f9eb80d8c0e2d91c12fa9db7c6ab94b8671
• 33bac66d1de6c64e5f34ba184de4842db48ac603
• 785b52e144577375abe4d1c785c451f60c423788
• e7c03309c93c99d195e7cd7984dee2c5c9cd90e3
• 4e1ed311021ce99a7556af05ca520a5569853eed

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Upgrade your operating system.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.