
The Akamai Security Intelligence and Response Team (SIRT) has identified Aquabotv3, a new and more sophisticated variant of the Mirai-based botnet Aquabot, actively exploiting Mitel SIP phones. This latest version uses a previously undisclosed command injection vulnerability, CVE-2024-41710, to gain control over vulnerable devices.
Unlike earlier variants, Aquabotv3 introduces an unprecedented feature—a kill signal reporting function—which alerts its Command and Control (C2) server whenever the malware is terminated on an infected device. As Akamai researchers note: “This malware exhibits a behavior we have never before seen with a Mirai variant: a function (report_kill) to report back to the command and control (C2) when a kill signal was caught on the infected device.”
This evolution suggests a more resilient and adaptive botnet, making detection and mitigation even more challenging for defenders.
Aquabotv3 exploits CVE-2024-41710, a command injection vulnerability in Mitel 6800, 6900, and 6970 series SIP phones, including firmware versions up to R6.4.0.HF1.
This flaw was initially disclosed in July 2024, with a proof-of-concept (PoC) exploit published in August 2024 by security researcher Kyle Burns. The vulnerability bypasses input sanitization checks, allowing attackers to execute arbitrary commands on vulnerable devices.
“The exploit proof of concept (PoC) shows us that an attacker could smuggle in entries otherwise blocked by the application’s sanitization checks by sending a specially crafted HTTP POST request.”
By targeting the 8021xsupport.html endpoint, attackers modify the local device configuration, triggering remote code execution during system boot.
Akamai observed active exploitation of this vulnerability in early January 2025, when attackers began using the PoC exploit to spread Aquabotv3 in the wild. The infection sequence follows these steps:
- Attackers send a malicious HTTP POST request to the target Mitel SIP phone.
- The request modifies /nvdata/etc/local.cfg, allowing code execution at boot.
- The device fetches and executes a shell script (bin.sh), which downloads and launches Aquabotv3.
Once infected, the device downloads multiple Mirai variants compiled for different architectures, ensuring broad compatibility:
This attack transforms Mitel SIP phones into DDoS botnet nodes, expanding the attack surface across enterprise networks.
While Mirai-based botnets are notorious for distributed denial-of-service (DDoS) attacks, Aquabotv3 introduces a new self-defense mechanism. When an infected device receives a kill signal, the malware sends an alert to the C2 server, “Aquabotv3 then reports back home. The function report_kill() sends a message to the C2 via TCP connection stating that a signal was caught.”
This monitoring may allow botnet operators to track takedown attempts, potentially deploying countermeasures or reinfecting compromised devices.
Beyond Mitel SIP phones, Aquabotv3 is exploiting multiple known vulnerabilities to maximize its reach. Akamai identified infections via:
- Hadoop YARN RCE
- CVE-2018-17532
- CVE-2023-26801
- CVE-2022-31137
- Linksys E-series RCE
- CVE-2018-10562
- CVE-2018-10561
By leveraging these flaws, Aquabotv3 is expanding its botnet footprint across a diverse range of IoT devices, increasing the potential for large-scale DDoS attacks.
Analysis of underground forums and Telegram channels reveals that Aquabot is being marketed as a DDoS-as-a-Service. Attackers are selling access to the botnet, allowing customers to launch custom DDoS attacks: “It’s been advertised under several different names offering Layer 4 and Layer 7 DDoS.”
Despite claims that the service is for “DDoS Mitigation Testing”, forensic analysis confirms active malware distribution from these domains.

Related Posts:
- Mitel Issues Critical Security Advisory for PHP Argument Injection Vulnerability
- Unpatched Zero-Day Vulnerability in Mitel MiCollab Exposes Businesses to Serious Security Risks
- Microsoft details the flaw in macOS that could bypass SIP root restrictions