Mirai Botnets Attack Unpatched Wazuh Servers (CVE-2025-24016)
▼ Summary
– Two Mirai botnets are exploiting CVE-2025-24016, a critical vulnerability in Wazuh XDR/SIEM platform, as reported by Akamai researchers.
– Wazuh is an open-source security platform with components like Wazuh Manager, Wazuh Agent, Elasticsearch, and Kibana for monitoring and analyzing security data.
– CVE-2025-24016 is an unsafe deserialization flaw in Wazuh Manager versions 4.4.0-4.9.0, exploitable via API access or compromised agents, and patched in version 4.9.1.
– The Mirai botnets use a public PoC exploit to deliver malware targeting IoT devices and also exploit old vulnerabilities in routers and Hadoop YARN.
– Botnet operators quickly adapt public PoC exploits, and skilled attackers can weaponize flaws using patch details before fixes are widely deployed.
Security researchers have identified active exploitation of a critical vulnerability in Wazuh’s open-source security platform, with attackers deploying Mirai botnets to compromise unpatched systems. The flaw, tracked as CVE-2025-24016, affects Wazuh Manager versions 4.4.0 through 4.9.0 and allows remote code execution under specific conditions.
Wazuh serves as a comprehensive SIEM and XDR solution, offering capabilities like intrusion detection, log analysis, and endpoint monitoring. Its architecture relies on three main components: the Wazuh Manager (central server), Wazuh Agents (endpoint data collectors), and Elasticsearch/Kibana for data visualization. The vulnerability stems from an unsafe deserialization issue in the Manager component, which could be triggered through API access, either via compromised dashboards, clustered servers, or even agents in certain configurations.
Successful exploitation requires attackers to obtain valid API credentials. Once authenticated, they can execute arbitrary code, potentially taking full control of affected systems. The flaw was patched in October 2024 with Wazuh version 4.9.1, but public disclosure occurred months later in February 2025. By March, threat actors had already begun leveraging the vulnerability.
Two distinct Mirai botnets are actively targeting unpatched Wazuh servers, using a publicly available proof-of-concept (PoC) exploit to deploy malicious shell scripts. These scripts fetch Mirai variants designed for IoT devices, expanding the botnets’ reach. Researchers noted a second wave of attacks in early May, where a separate Mirai variant attempted exploitation through a non-standard Wazuh endpoint, suggesting attackers are refining their methods.
Beyond Wazuh, the botnets are probing other known vulnerabilities in systems like Hadoop YARN, legacy routers (TP-Link, ZTE, Huawei, ZyXEL), and the RealTek SDK. This behavior highlights how quickly cybercriminals repurpose public exploit code to amplify their campaigns.
The rapid weaponization of this flaw mirrors recent trends, where attackers reverse-engineer patches to exploit vulnerabilities before organizations can apply updates. Proactive patch management remains critical, especially for widely used security platforms like Wazuh. Administrators are urged to upgrade to version 4.9.1 or later immediately and audit API access controls to mitigate risks.
For real-time updates on emerging threats, subscribe to cybersecurity bulletins that track vulnerabilities, breaches, and active exploits. Staying informed is the first line of defense against evolving attack vectors.
(Source: HelpNet Security)
