Ddos 
Akamai’s Security Intelligence and Response Team (SIRT) has uncovered active exploitation of CVE-2025-24016, a critical remote code execution (RCE) vulnerability in Wazuh servers, by multiple Mirai-based botnets. The vulnerability carries a CVSS score of 9.9 and allows remote attackers to execute arbitrary Python code via unsanitized JSON inputs in the Wazuh Distributed API.
“This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025,” Akamai wrote in its report.
Disclosed in February 2025, CVE-2025-24016 affects Wazuh versions 4.4.0 through 4.9.0, and allows attackers to achieve RCE by crafting a malicious run_as request to the /security/user/authenticate/run_as endpoint.
The vulnerability stems from Wazuh’s use of the as_Wazuh_object() deserialization method in Python, which fails to sanitize dictionary inputs.
“This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code,” the report explains.
Akamai identified two distinct botnet campaigns leveraging this vulnerability, both using variations of the Mirai malware.
The first wave appeared in early March 2025, shortly after public disclosure of the CVE, targeting IoT devices with a suite of architecture-specific binaries. The malware, dubbed “morte,” is part of the LZRD Mirai family, known for its console string “lzrd here”.
“The exploit fetches and executes a malicious shell script that serves as a downloader for the main Mirai malware payload,” the report explains.
Associated infrastructure includes:
- C2 Domain: nuklearcnc.duckdns[.]org
- Payload server: 176.65.134[.]62
- Additional domains: cbot.galaxias[.]cc, neon.galaxias[.]cc, pangacnc[.]com
In May 2025, Akamai observed a second botnet dubbed “Resbot” exploiting the same vulnerability but using Italian-styled domain names like gestisciweb.com, suggesting targeting of Italian-speaking users.
The malware, “resgod”, prints the console string “Resentual got you!” upon execution and also targets multiple CPU architectures. Its C2 is hardcoded to 104.168.101[.]27 over TCP port 62627.
“It was using a variety of domains to spread the malware that all had Italian nomenclature… possibly alluding to the targeted geography or language spoken by the affected device owner,” the report notes.
In addition to CVE-2025-24016, the botnets were observed chaining exploits from past years, including:
- CVE-2023-1389 (TP-Link)
- CVE-2017-17215 (Huawei HG532)
- CVE-2017-18368 (D-Link)
- Exploits targeting Ivanti, UPnP, and YARN APIs
One attack string specifically crafted for UPnP exploitation via SOAP contained this payload:
These actions underscore a well-resourced and automated offensive campaign to compromise exposed and outdated infrastructure.
Related Posts:
- CVE-2025-24016 (CVSS 9.9): Critical RCE Vulnerability Discovered in Wazuh Server
- Akamai Unveils New VPN Post-Exploitation Techniques: Major Vulnerabilities Discovered in Ivanti and FortiGate VPNs
- Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
- CVE-2025-1316: Edimax Network Cameras Exploited to Spread Mirai Malware
Donate