Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware.
This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.
It is worth noting that this is the first time active attacks using this vulnerability have been reported, highlighting a concerning trend where cybercriminals quickly turn newly discovered flaws into tools for their campaigns.
Two Botnets, One Goal
The technical report, shared with Hackread.com, reveals that Akamai’s Security Intelligence and Response Team (SIRT) first noticed suspicious activity in their global network of honeypots in March 2025, just weeks after the flaw was made public in February 2025.
The team identified two distinct botnets leveraging this exploit. The first botnet began its attacks in early March, using the vulnerability to download and run a malicious script. This script then pulls down the main Mirai malware, which is designed to infect a wide range of Internet of Things (IoT) devices.
These Mirai variants, sometimes named morte, are identifiable by a unique message they display, such as lzrd here. These initial attacks used the same authorization details as a publicly available proof of concept (PoC) exploit, meaning attackers quickly adapted known information.
The second botnet emerged in early May 2025, also spreading a Mirai variant called resgod. This botnet caught attention because its associated online addresses (domains) featured Italian-sounding names, like gestisciweb.com, which means manage web. This could suggest the attackers are specifically trying to target devices owned by Italian-speaking users. The resgod malware itself carries the clear message, “Resentual got you!”
Wazuh’s View: Risk is Low for Properly Secured Systems
Wazuh has clarified that this vulnerability, CVE-2025-24016, is an “authenticated vulnerability.” This means an attacker needs valid administrator-level credentials and access to the Wazuh server’s API to exploit it.
The company stated that this issue was fixed in October 2024 with version 4.9.1, and any system running that version or later is fully secure.
Wazuh emphasizes that the chance of exploitation is low for most users because specific conditions, often against recommended security practices, must be met. These include:
- The Wazuh server running an old, vulnerable version (4.4.0 to 4.9.0).
- The Wazuh server API being exposed to the internet, which Wazuh strongly advises against.
- The attacker having valid administrator credentials, often gained through theft, default passwords, or poor security.
The company assures its customers that they have not been affected by this vulnerability. They believe the vast majority of users are also safe, as only systems with weak security, like exposed APIs and easy-to-guess passwords, would be at risk.
Beyond Wazuh: Other Exploited Flaws
While the Wazuh vulnerability is the primary focus, the botnets weren’t limited to it. Akamai observed these malicious groups attempting to exploit several other well-known security flaws. These included older vulnerabilities in systems like Hadoop YARN, TP-Link Archer AX21 routers (CVE-2023-1389), Huawei HG532 routers (CVE-2017-17215), and ZTE ZXV10 H108L routers (CVE-2017-18368). This shows that the attackers use a broad approach, trying to infect systems through any available weakness.
Akamai’s report warns that it remains relatively easy for criminals to reuse old malware code to create new botnets. The speed at which this Wazuh flaw was exploited after its disclosure underlines how critical it is for organizations to apply security patches as soon as they become available.
Unlike some vulnerabilities that only affect outdated devices, CVE-2025-24016 specifically targets active Wazuh servers if they are not updated. Akamai strongly advises all users to upgrade to Wazuh version 4.9.1 or later to protect their systems.
